From 0f50842cee11cfc320ccc86a282aee28c57dbf22 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 9 Feb 2021 10:32:08 +0100 Subject: [PATCH 1/6] Upgrade cef to ecs 1.8.0. (#23832) Co-authored-by: Adrian Serrano --- CHANGELOG.next.asciidoc | 1 + .../filebeat/module/cef/log/config/input.yml | 2 +- .../module/cef/log/ingest/pipeline.yml | 29 +++++++++++++----- .../log/test/fp-ngfw-smc.log-expected.json | 30 +++++++++++++++++++ 4 files changed, 53 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 904ac3011a7..2b5b15edc52 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -833,6 +833,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Update Filebeat auditd dataset to ECS 1.8.0. {pull}23723[23723] {issue}23118[23118] - Updated microsoft defender_atp and m365_defender to ECS 1.8. {pull}23897[23897] {issue}23118[23118] - Updated o365 module to ECS 1.8. {issue}23118[23118] {pull}23896[23896] +- Upgrade CEF module to ECS 1.8.0. {pull}23832[23832] *Heartbeat* diff --git a/x-pack/filebeat/module/cef/log/config/input.yml b/x-pack/filebeat/module/cef/log/config/input.yml index 4568f659c3a..7916908599e 100644 --- a/x-pack/filebeat/module/cef/log/config/input.yml +++ b/x-pack/filebeat/module/cef/log/config/input.yml @@ -28,7 +28,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 {{ if .external_zones }} - add_fields: diff --git a/x-pack/filebeat/module/cef/log/ingest/pipeline.yml b/x-pack/filebeat/module/cef/log/ingest/pipeline.yml index 676f66a943a..18a2cda4bf2 100644 --- a/x-pack/filebeat/module/cef/log/ingest/pipeline.yml +++ b/x-pack/filebeat/module/cef/log/ingest/pipeline.yml @@ -52,35 +52,48 @@ processors: - append: field: related.hash value: "{{cef.extensions.fileHash}}" - if: "ctx?.cef?.extensions?.fileHash != null" + allow_duplicates: false + if: "ctx?.cef?.extensions?.fileHash != null && ctx?.cef?.extensions?.fileHash != ''" - append: field: related.hash value: "{{cef.extensions.oldFileHash}}" - if: "ctx?.cef?.extensions?.oldFileHash != null" + allow_duplicates: false + if: "ctx?.cef?.extensions?.oldFileHash != null && ctx?.cef?.extensions?.oldFileHash != ''" - append: field: related.ip value: "{{destination.ip}}" - if: "ctx?.destination?.ip != null" + allow_duplicates: false + if: "ctx?.destination?.ip != null && ctx?.destination?.ip != ''" - append: field: related.ip value: "{{destination.nat.ip}}" - if: "ctx?.destination?.nat?.ip != null" + allow_duplicates: false + if: "ctx?.destination?.nat?.ip != null && ctx?.destination?.nat?.ip != ''" - append: field: related.ip value: "{{source.ip}}" - if: "ctx?.source?.ip != null" + allow_duplicates: false + if: "ctx?.source?.ip != null && ctx?.source?.ip != ''" - append: field: related.ip value: "{{source.nat.ip}}" - if: "ctx?.source?.nat?.ip != null" + allow_duplicates: false + if: "ctx?.source?.nat?.ip != null && ctx?.source?.nat?.ip != ''" - append: field: related.user value: "{{destination.user.name}}" - if: "ctx?.destination?.user?.name != null" + allow_duplicates: false + if: "ctx?.destination?.user?.name != null && ctx?.destination?.user?.name != ''" - append: field: related.user value: "{{source.user.name}}" - if: "ctx?.source?.user?.name != null" + allow_duplicates: false + if: "ctx?.source?.user?.name != null && ctx?.source?.user?.name != ''" + - append: + field: related.hosts + value: "{{observer.hostname}}" + allow_duplicates: false + if: "ctx?.observer?.hostname != null && ctx?.observer?.hostname != ''" - pipeline: name: '{< IngestPipeline "fp-pipeline" >}' if: "ctx.cef?.device?.vendor == 'FORCEPOINT'" diff --git a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json index 70ef4f7776f..3087409c970 100644 --- a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json @@ -27,6 +27,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "6.6.1", + "related.hosts": [ + "10.1.1.40" + ], "service.type": "cef", "tags": [ "cef", @@ -61,6 +64,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "6.6.1", + "related.hosts": [ + "10.1.1.40" + ], "service.type": "cef", "tags": [ "cef", @@ -108,6 +114,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "6.6.1", + "related.hosts": [ + "10.1.1.40" + ], "related.ip": [ "10.1.1.40", "10.37.205.252" @@ -161,6 +170,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.10" + ], "related.ip": [ "255.255.255.255", "172.16.1.1" @@ -214,6 +226,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.1" + ], "related.ip": [ "192.168.1.1", "172.16.1.1" @@ -264,6 +279,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.6" + ], "related.user": [ "alice" ], @@ -304,6 +322,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.3" + ], "related.ip": [ "192.168.1.1" ], @@ -347,6 +368,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.10" + ], "related.ip": [ "192.168.1.1" ], @@ -390,6 +414,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "unknown", + "related.hosts": [ + "10.1.1.8" + ], "related.ip": [ "172.16.2.1" ], @@ -432,6 +459,9 @@ "observer.product": "Firewall", "observer.vendor": "FORCEPOINT", "observer.version": "6.6.1", + "related.hosts": [ + "10.1.1.40" + ], "service.type": "cef", "tags": [ "cef", From fa2980d8d6571216a510c5b04415a2651b39e3df Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 9 Feb 2021 11:36:46 +0100 Subject: [PATCH 2/6] Upgrade fortinet/firewall to ECS 1.8 (#23902) --- CHANGELOG.next.asciidoc | 1 + .../fortinet/firewall/config/firewall.yml | 2 +- .../module/fortinet/firewall/ingest/event.yml | 87 ---------- .../fortinet/firewall/ingest/pipeline.yml | 163 ++++++++++++++---- .../fortinet/firewall/ingest/traffic.yml | 98 +---------- .../module/fortinet/firewall/ingest/utm.yml | 87 ---------- .../firewall/test/fortinet.log-expected.json | 27 +-- 7 files changed, 146 insertions(+), 319 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 2b5b15edc52..d6ec4de1db1 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -834,6 +834,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Updated microsoft defender_atp and m365_defender to ECS 1.8. {pull}23897[23897] {issue}23118[23118] - Updated o365 module to ECS 1.8. {issue}23118[23118] {pull}23896[23896] - Upgrade CEF module to ECS 1.8.0. {pull}23832[23832] +- Upgrade fortinet/firewall to ECS 1.8 {issue}23118[23118] {pull}23902[23902] *Heartbeat* diff --git a/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml b/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml index cddd13573a4..e455019cfdc 100644 --- a/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml +++ b/x-pack/filebeat/module/fortinet/firewall/config/firewall.yml @@ -27,7 +27,7 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 {{ if .external_interfaces }} - add_fields: diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml index 8278c538c26..4e299f4be08 100644 --- a/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/event.yml @@ -242,93 +242,6 @@ processors: type: integer ignore_failure: true ignore_missing: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -- script: - lang: painless - source: ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes - if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" - ignore_failure: true -- append: - field: related.ip - value: "{{source.ip}}" - if: "ctx.source?.ip != null" -- append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx.destination?.ip != null" -- append: - field: related.user - value: "{{source.user.name}}" - if: "ctx.source?.user?.name != null" - remove: field: - fortinet.firewall.dstport diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml index a227d770082..c103fd14700 100644 --- a/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/pipeline.yml @@ -15,14 +15,17 @@ processors: ignore_missing: true ignore_failure: false trim_value: "\"" -- remove: - field: fortinet.tmp.assignip - if: "ctx.fortinet?.tmp?.assignip == 'N/A'" - ignore_missing: true - rename: field: fortinet.tmp target_field: fortinet.firewall ignore_missing: true +- script: + lang: painless + source: | + def fw = ctx?.fortinet?.firewall; + if (fw != null) { + fw.entrySet().removeIf(entry -> entry.getValue() == "N/A"); + } - set: field: observer.vendor value: Fortinet @@ -134,36 +137,6 @@ processors: field: fortinet.firewall.level target_field: log.level ignore_missing: true -- remove: - field: fortinet.firewall.assignip - if: "ctx.fortinet?.firewall?.assignip == 'N/A'" -- remove: - field: fortinet.firewall.dstip - if: "ctx.fortinet?.firewall?.dstip == 'N/A'" -- remove: - field: fortinet.firewall.srcip - if: "ctx.fortinet?.firewall?.srcip == 'N/A'" -- remove: - field: fortinet.firewall.remip - if: "ctx.fortinet?.firewall?.remip == 'N/A'" -- remove: - field: fortinet.firewall.locip - if: "ctx.fortinet?.firewall?.locip == 'N/A'" -- remove: - field: fortinet.firewall.group - if: "ctx.fortinet?.firewall?.group == 'N/A'" -- remove: - field: fortinet.firewall.user - if: "ctx.fortinet?.firewall?.user == 'N/A'" -- remove: - field: fortinet.firewall.tranip - if: "ctx.fortinet?.firewall?.tranip == 'N/A'" -- remove: - field: fortinet.firewall.transip - if: "ctx.fortinet?.firewall?.transip == 'N/A'" -- remove: - field: fortinet.firewall.tunnelip - if: "ctx.fortinet?.firewall?.tunnelip == 'N/A'" # Handle interface-based network directionality - set: field: network.direction @@ -259,6 +232,128 @@ processors: field: fortinet.firewall.size type: long ignore_missing: true +- geoip: + field: source.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true +- geoip: + field: source.nat.ip + target_field: source.geo + ignore_missing: true + if: "ctx.source?.geo == null" +- geoip: + field: destination.nat.ip + target_field: destination.geo + ignore_missing: true + if: "ctx.destination?.geo == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: source.nat.ip + target_field: source.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.source?.as == null" +- geoip: + database_file: GeoLite2-ASN.mmdb + field: destination.nat.ip + target_field: destination.as + properties: + - asn + - organization_name + ignore_missing: true + if: "ctx.destination?.as == null" +- rename: + field: source.as.asn + target_field: source.as.number + ignore_missing: true +- rename: + field: source.as.organization_name + target_field: source.as.organization.name + ignore_missing: true +- rename: + field: destination.as.asn + target_field: destination.as.number + ignore_missing: true +- rename: + field: destination.as.organization_name + target_field: destination.as.organization.name + ignore_missing: true +- script: + lang: painless + source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" + if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" + ignore_failure: true +- script: + lang: painless + source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" + if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" + ignore_failure: true +- append: + field: related.ip + value: "{{source.ip}}" + if: "ctx.source?.ip != null" +- append: + field: related.ip + value: "{{destination.ip}}" + if: "ctx.destination?.ip != null" +- append: + field: related.user + value: "{{source.user.name}}" + if: "ctx.source?.user?.name != null" +- append: + field: related.user + value: "{{destination.user.name}}" + if: "ctx.destination?.user?.name != null" +- append: + field: related.hosts + value: "{{destination.address}}" + if: "ctx.destination?.address != null" +- append: + field: related.hosts + value: "{{source.address}}" + if: "ctx.source?.address != null" +- append: + field: related.hosts + value: "{{dns.question.name}}" + if: "ctx.dns?.question?.name != null" +- script: + lang: painless + source: | + def dnsIPs = ctx?.dns?.resolved_ip; + if (dnsIPs != null && dnsIPs instanceof List) { + if (ctx?.related?.ip == null) { + ctx.related.ip = []; + } + for (ip in dnsIPs) { + if (!ctx.related.ip.contains(ip)) { + ctx.related.ip.add(ip); + } + } + } on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/traffic.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/traffic.yml index 051a3eca2f8..5166332e2a1 100644 --- a/x-pack/filebeat/module/fortinet/firewall/ingest/traffic.yml +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/traffic.yml @@ -200,102 +200,6 @@ processors: field: fortinet.firewall.url target_field: url.path ignore_missing: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -- script: - lang: painless - source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" - ignore_failure: true -- script: - lang: painless - source: "ctx.network.packets = ctx.source.packets + ctx.destination.packets" - if: "ctx?.source?.packets != null && ctx?.destination?.packets != null" - ignore_failure: true -- append: - field: related.ip - value: "{{source.ip}}" - if: "ctx.source?.ip != null" -- append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx.destination?.ip != null" -- append: - field: related.user - value: "{{source.user.name}}" - if: "ctx.source?.user?.name != null" -- append: - field: related.user - value: "{{destination.user.name}}" - if: "ctx.destination?.user?.name != null" - remove: field: - fortinet.firewall.dstport @@ -310,4 +214,4 @@ processors: on_failure: - set: field: error.message - value: '{{ _ingest.on_failure_message }}' \ No newline at end of file + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml b/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml index e3df460546c..a788aa4c8bc 100644 --- a/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml +++ b/x-pack/filebeat/module/fortinet/firewall/ingest/utm.yml @@ -348,93 +348,6 @@ processors: field: fortinet.firewall.filehash target_field: fortinet.file.hash.crc32 ignore_missing: true -- geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true -- geoip: - field: source.nat.ip - target_field: source.geo - ignore_missing: true - if: "ctx.source?.geo == null" -- geoip: - field: destination.nat.ip - target_field: destination.geo - ignore_missing: true - if: "ctx.destination?.geo == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: source.nat.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.source?.as == null" -- geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.nat.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - if: "ctx.destination?.as == null" -- rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true -- rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true -- rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true -- rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -- script: - lang: painless - source: "ctx.network.bytes = ctx.source.bytes + ctx.destination.bytes" - if: "ctx?.source?.bytes != null && ctx?.destination?.bytes != null" - ignore_failure: true -- append: - field: related.ip - value: "{{source.ip}}" - if: "ctx.source?.ip != null" -- append: - field: related.ip - value: "{{destination.ip}}" - if: "ctx.destination?.ip != null" -- append: - field: related.user - value: "{{source.user.name}}" - if: "ctx.source?.user?.name != null" - append: field: related.hash value: "{{fortinet.file.hash.crc32}}" diff --git a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json index 2a485f787f4..172748796d1 100644 --- a/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json +++ b/x-pack/filebeat/module/fortinet/firewall/test/fortinet.log-expected.json @@ -427,6 +427,9 @@ "observer.serial_number": "somerouterid", "observer.type": "firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "elastic.example.com" + ], "related.ip": [ "192.168.2.1", "8.8.8.8" @@ -498,9 +501,13 @@ "observer.serial_number": "somerouterid", "observer.type": "firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "elastic.example.com" + ], "related.ip": [ "192.168.2.1", - "8.8.8.8" + "8.8.8.8", + "8.8.4.4" ], "rule.category": "Web-based Email", "rule.id": "26", @@ -642,6 +649,9 @@ "observer.serial_number": "somerouterid", "observer.type": "firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "elastic.co" + ], "related.ip": [ "192.168.2.1", "8.8.8.8" @@ -704,6 +714,9 @@ "observer.serial_number": "somerouterid", "observer.type": "firewall", "observer.vendor": "Fortinet", + "related.hosts": [ + "elastic.co" + ], "related.ip": [ "192.168.2.1", "8.8.8.8" @@ -864,9 +877,6 @@ "fortinet.firewall.subtype": "vpn", "fortinet.firewall.type": "event", "fortinet.firewall.vd": "root", - "fortinet.firewall.vpntunnel": "N/A", - "fortinet.firewall.xauthgroup": "N/A", - "fortinet.firewall.xauthuser": "N/A", "input.type": "log", "log.level": "error", "log.offset": 7112, @@ -934,8 +944,6 @@ "fortinet.firewall.type": "event", "fortinet.firewall.vd": "root", "fortinet.firewall.vpntunnel": "elasticvpn", - "fortinet.firewall.xauthgroup": "N/A", - "fortinet.firewall.xauthuser": "N/A", "input.type": "log", "log.level": "notice", "log.offset": 7680, @@ -1096,8 +1104,6 @@ "fortinet.firewall.type": "event", "fortinet.firewall.vd": "root", "fortinet.firewall.vpntunnel": "testvpn", - "fortinet.firewall.xauthgroup": "N/A", - "fortinet.firewall.xauthuser": "N/A", "input.type": "log", "log.level": "notice", "log.offset": 9122, @@ -1198,7 +1204,6 @@ }, { "@timestamp": "2020-04-23T12:23:47.000-05:00", - "destination.address": "N/A", "destination.as.number": 15169, "destination.as.organization.name": "Google LLC", "destination.geo.continent_name": "North America", @@ -1221,7 +1226,6 @@ ], "fileset.name": "firewall", "fortinet.firewall.action": "ssl-new-con", - "fortinet.firewall.reason": "N/A", "fortinet.firewall.subtype": "vpn", "fortinet.firewall.tunnelid": "2", "fortinet.firewall.tunneltype": "ssl", @@ -1248,7 +1252,6 @@ }, { "@timestamp": "2020-04-23T12:23:47.000-05:00", - "destination.address": "N/A", "destination.as.number": 3356, "destination.as.organization.name": "Level 3 Parent, LLC", "destination.geo.continent_name": "North America", @@ -2005,8 +2008,6 @@ "fortinet.firewall.type": "event", "fortinet.firewall.vd": "root", "fortinet.firewall.vpntunnel": "P1_Test", - "fortinet.firewall.xauthgroup": "N/A", - "fortinet.firewall.xauthuser": "N/A", "input.type": "log", "log.level": "notice", "log.offset": 17123, From 8cb2be2dc1cbade855a31b742ca7bdb33deb8786 Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Tue, 9 Feb 2021 13:12:04 +0100 Subject: [PATCH 3/6] [ECS] Zeek upgrade to ecs 1.8.0 (#23847) * Change ecs version to 1.8.0 * Add ecs mappings to http and mysql filesets --- CHANGELOG.next.asciidoc | 1 + .../zeek/capture_loss/config/capture_loss.yml | 2 +- .../zeek/connection/config/connection.yml | 2 +- .../module/zeek/dce_rpc/config/dce_rpc.yml | 2 +- .../filebeat/module/zeek/dhcp/config/dhcp.yml | 2 +- .../filebeat/module/zeek/dnp3/config/dnp3.yml | 2 +- .../filebeat/module/zeek/dns/config/dns.yml | 2 +- .../filebeat/module/zeek/dpd/config/dpd.yml | 2 +- .../module/zeek/files/config/files.yml | 2 +- .../filebeat/module/zeek/ftp/config/ftp.yml | 2 +- .../filebeat/module/zeek/http/config/http.yml | 3 +- .../module/zeek/http/test/http-json.log | 4 +- .../http/test/http-json.log-expected.json | 74 +++++++++++++++++++ .../module/zeek/intel/config/intel.yml | 2 +- .../filebeat/module/zeek/irc/config/irc.yml | 2 +- .../module/zeek/kerberos/config/kerberos.yml | 2 +- .../module/zeek/modbus/config/modbus.yml | 2 +- .../module/zeek/mysql/config/mysql.yml | 2 +- .../module/zeek/mysql/ingest/pipeline.yml | 4 + .../module/zeek/notice/config/notice.yml | 2 +- .../filebeat/module/zeek/ntlm/config/ntlm.yml | 2 +- .../filebeat/module/zeek/ocsp/config/ocsp.yml | 2 +- x-pack/filebeat/module/zeek/pe/config/pe.yml | 2 +- .../module/zeek/radius/config/radius.yml | 2 +- .../filebeat/module/zeek/rdp/config/rdp.yml | 2 +- .../filebeat/module/zeek/rfb/config/rfb.yml | 2 +- .../filebeat/module/zeek/sip/config/sip.yml | 2 +- .../module/zeek/smb_cmd/config/smb_cmd.yml | 2 +- .../zeek/smb_files/config/smb_files.yml | 2 +- .../zeek/smb_mapping/config/smb_mapping.yml | 2 +- .../filebeat/module/zeek/smtp/config/smtp.yml | 2 +- .../filebeat/module/zeek/snmp/config/snmp.yml | 2 +- .../module/zeek/socks/config/socks.yml | 2 +- .../filebeat/module/zeek/ssh/config/ssh.yml | 2 +- .../filebeat/module/zeek/ssl/config/ssl.yml | 2 +- .../module/zeek/stats/config/stats.yml | 2 +- .../module/zeek/syslog/config/syslog.yml | 2 +- .../zeek/traceroute/config/traceroute.yml | 2 +- .../module/zeek/tunnel/config/tunnel.yml | 2 +- .../module/zeek/weird/config/weird.yml | 2 +- .../filebeat/module/zeek/x509/config/x509.yml | 2 +- 41 files changed, 119 insertions(+), 39 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index d6ec4de1db1..7331baaebbc 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -835,6 +835,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Updated o365 module to ECS 1.8. {issue}23118[23118] {pull}23896[23896] - Upgrade CEF module to ECS 1.8.0. {pull}23832[23832] - Upgrade fortinet/firewall to ECS 1.8 {issue}23118[23118] {pull}23902[23902] +- Upgrade Zeek to ECS 1.8.0. {issue}23118[23118] {pull}23847[23847] *Heartbeat* diff --git a/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml b/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml index 73d374965aa..66a028f309d 100644 --- a/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml +++ b/x-pack/filebeat/module/zeek/capture_loss/config/capture_loss.yml @@ -22,4 +22,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/connection/config/connection.yml b/x-pack/filebeat/module/zeek/connection/config/connection.yml index 179f20a9043..71169efdf28 100644 --- a/x-pack/filebeat/module/zeek/connection/config/connection.yml +++ b/x-pack/filebeat/module/zeek/connection/config/connection.yml @@ -102,4 +102,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml index f86600e146d..b14165562ea 100644 --- a/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml +++ b/x-pack/filebeat/module/zeek/dce_rpc/config/dce_rpc.yml @@ -58,4 +58,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml index 9e659922486..b59227d30df 100644 --- a/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml +++ b/x-pack/filebeat/module/zeek/dhcp/config/dhcp.yml @@ -120,4 +120,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml index 89a389c597e..6cd83108b41 100644 --- a/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml +++ b/x-pack/filebeat/module/zeek/dnp3/config/dnp3.yml @@ -68,4 +68,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/dns/config/dns.yml b/x-pack/filebeat/module/zeek/dns/config/dns.yml index 9381f616b89..73130461034 100644 --- a/x-pack/filebeat/module/zeek/dns/config/dns.yml +++ b/x-pack/filebeat/module/zeek/dns/config/dns.yml @@ -210,4 +210,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml index 6d14aa2cd4d..b7a9c30ec10 100644 --- a/x-pack/filebeat/module/zeek/dpd/config/dpd.yml +++ b/x-pack/filebeat/module/zeek/dpd/config/dpd.yml @@ -57,4 +57,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/files/config/files.yml b/x-pack/filebeat/module/zeek/files/config/files.yml index af6fdedb326..19dfddb9bf5 100644 --- a/x-pack/filebeat/module/zeek/files/config/files.yml +++ b/x-pack/filebeat/module/zeek/files/config/files.yml @@ -42,4 +42,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml index db39c759637..6acba2ed0c8 100644 --- a/x-pack/filebeat/module/zeek/ftp/config/ftp.yml +++ b/x-pack/filebeat/module/zeek/ftp/config/ftp.yml @@ -86,4 +86,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/http/config/http.yml b/x-pack/filebeat/module/zeek/http/config/http.yml index d44f361b8af..25bdbf709d1 100644 --- a/x-pack/filebeat/module/zeek/http/config/http.yml +++ b/x-pack/filebeat/module/zeek/http/config/http.yml @@ -76,6 +76,7 @@ processors: - {from: "destination.address", to: "destination.ip", type: "ip"} - {from: "destination.port", to: "url.port"} - {from: "http.request.method", to: "event.action"} + - {from: "url.username", to: "user.name"} ignore_missing: true fail_on_error: false - add_fields: @@ -93,4 +94,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/http/test/http-json.log b/x-pack/filebeat/module/zeek/http/test/http-json.log index 733495725a3..82b680f7275 100644 --- a/x-pack/filebeat/module/zeek/http/test/http-json.log +++ b/x-pack/filebeat/module/zeek/http/test/http-json.log @@ -1,2 +1,2 @@ -{"ts":1547687130.172944,"uid":"CCNp8v1SNzY7v9d1Ih","id.orig_h":"10.178.98.102","id.orig_p":62995,"id.resp_h":"17.253.5.203","id.resp_p":80,"trans_depth":1,"method":"GET","host":"ocsp.apple.com","uri":"/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=","version":"1.1","user_agent":"com.apple.trustd/2.0","request_body_len":0,"response_body_len":3735,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F5zuip1tSwASjNAHy7"],"resp_mime_types":["application/ocsp-response"]} -{"ts":1547707019.757479,"uid":"CMnIaR2V8VXyu7EPs","id.orig_h":"10.20.8.197","id.orig_p":35684,"id.resp_h":"34.206.130.40","id.resp_p":80,"trans_depth":1,"method":"GET","host":"httpbin.org","uri":"/ip","version":"1.1","user_agent":"curl/7.58.0","request_body_len":0,"response_body_len":32,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FwGPlr1GcKUWWdkXoi"],"resp_mime_types":["text/json"]} \ No newline at end of file +{"ts":1547687130.172944,"uid":"CCNp8v1SNzY7v9d1Ih","id.orig_h":"10.178.98.102","id.orig_p":62995,"id.resp_h":"17.253.5.203","username":"user","id.resp_p":80,"trans_depth":1,"method":"GET","host":"ocsp.apple.com","uri":"/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=","version":"1.1","user_agent":"com.apple.trustd/2.0","request_body_len":0,"response_body_len":3735,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F5zuip1tSwASjNAHy7"],"resp_mime_types":["application/ocsp-response"]} +{"ts":1547707019.757479,"uid":"CMnIaR2V8VXyu7EPs","id.orig_h":"10.20.8.197","id.orig_p":35684,"id.resp_h":"34.206.130.40","id.resp_p":80,"trans_depth":1,"method":"GET","host":"httpbin.org","uri":"/ip","version":"1.1","user_agent":"curl/7.58.0","request_body_len":0,"response_body_len":32,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FwGPlr1GcKUWWdkXoi"],"resp_mime_types":["text/json"]} diff --git a/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json b/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json index 200950e922a..0b101cda6e1 100644 --- a/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json +++ b/x-pack/filebeat/module/zeek/http/test/http-json.log-expected.json @@ -43,6 +43,9 @@ "10.178.98.102", "17.253.5.203" ], + "related.user": [ + "user" + ], "service.type": "zeek", "source.address": "10.178.98.102", "source.ip": "10.178.98.102", @@ -53,6 +56,8 @@ "url.domain": "ocsp.apple.com", "url.original": "/ocsp04-aaica02/ME4wTKADAgEAMEUwQzBBMAkGBSsOAwIaBQAEFNqvF+Za6oA4ceFRLsAWwEInjUhJBBQx6napI3Sl39T97qDBpp7GEQ4R7AIIUP1IOZZ86ns=", "url.port": 80, + "url.username": "user", + "user.name": "user", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "com.apple.trustd/2.0", @@ -66,5 +71,74 @@ "zeek.http.tags": [], "zeek.http.trans_depth": 1, "zeek.session_id": "CCNp8v1SNzY7v9d1Ih" + }, + { + "@timestamp": "2019-01-17T06:36:59.757Z", + "destination.address": "34.206.130.40", + "destination.as.number": 14618, + "destination.as.organization.name": "Amazon.com, Inc.", + "destination.geo.city_name": "Ashburn", + "destination.geo.continent_name": "North America", + "destination.geo.country_iso_code": "US", + "destination.geo.country_name": "United States", + "destination.geo.location.lat": 39.0481, + "destination.geo.location.lon": -77.4728, + "destination.geo.region_iso_code": "US-VA", + "destination.geo.region_name": "Virginia", + "destination.ip": "34.206.130.40", + "destination.port": 80, + "event.action": "get", + "event.category": [ + "network", + "web" + ], + "event.dataset": "zeek.http", + "event.id": "CMnIaR2V8VXyu7EPs", + "event.kind": "event", + "event.module": "zeek", + "event.outcome": "success", + "event.type": [ + "connection", + "info", + "protocol" + ], + "fileset.name": "http", + "http.request.body.bytes": 0, + "http.request.method": "GET", + "http.response.body.bytes": 32, + "http.response.status_code": 200, + "http.version": "1.1", + "input.type": "log", + "log.offset": 574, + "network.community_id": "1:Ol0Btm49e1mxnu/BXm1GM8w5ixY=", + "network.transport": "tcp", + "related.ip": [ + "10.20.8.197", + "34.206.130.40" + ], + "service.type": "zeek", + "source.address": "10.20.8.197", + "source.ip": "10.20.8.197", + "source.port": 35684, + "tags": [ + "zeek.http" + ], + "url.domain": "httpbin.org", + "url.original": "/ip", + "url.port": 80, + "user_agent.device.name": "Other", + "user_agent.name": "curl", + "user_agent.original": "curl/7.58.0", + "user_agent.version": "7.58.0", + "zeek.http.resp_fuids": [ + "FwGPlr1GcKUWWdkXoi" + ], + "zeek.http.resp_mime_types": [ + "text/json" + ], + "zeek.http.status_msg": "OK", + "zeek.http.tags": [], + "zeek.http.trans_depth": 1, + "zeek.session_id": "CMnIaR2V8VXyu7EPs" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/zeek/intel/config/intel.yml b/x-pack/filebeat/module/zeek/intel/config/intel.yml index 15fa51970d2..d48dec70d0e 100644 --- a/x-pack/filebeat/module/zeek/intel/config/intel.yml +++ b/x-pack/filebeat/module/zeek/intel/config/intel.yml @@ -67,4 +67,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/irc/config/irc.yml b/x-pack/filebeat/module/zeek/irc/config/irc.yml index cfc251d8616..58e1d861b13 100644 --- a/x-pack/filebeat/module/zeek/irc/config/irc.yml +++ b/x-pack/filebeat/module/zeek/irc/config/irc.yml @@ -72,4 +72,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml index 40ec169b7b1..6035aa9fba2 100644 --- a/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml +++ b/x-pack/filebeat/module/zeek/kerberos/config/kerberos.yml @@ -104,4 +104,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml index c1a4e8980b6..759dfc78536 100644 --- a/x-pack/filebeat/module/zeek/modbus/config/modbus.yml +++ b/x-pack/filebeat/module/zeek/modbus/config/modbus.yml @@ -73,4 +73,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml index ebd1675c36c..b3f5d82d489 100644 --- a/x-pack/filebeat/module/zeek/mysql/config/mysql.yml +++ b/x-pack/filebeat/module/zeek/mysql/config/mysql.yml @@ -72,4 +72,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml index ce2de353549..d5552af6d29 100644 --- a/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml +++ b/x-pack/filebeat/module/zeek/mysql/ingest/pipeline.yml @@ -80,6 +80,10 @@ processors: field: event.type value: end if: "ctx?.zeek?.mysql?.cmd != null && ctx.zeek.mysql.cmd == 'connect_out'" +- append: + field: event.category + value: session + if: "ctx?.zeek?.mysql?.cmd != null && (ctx.zeek.mysql.cmd == 'connect' || ctx.zeek.mysql.cmd == 'connect_out')" on_failure: - set: field: error.message diff --git a/x-pack/filebeat/module/zeek/notice/config/notice.yml b/x-pack/filebeat/module/zeek/notice/config/notice.yml index 8d5fd59ecda..4b09b7bc41f 100644 --- a/x-pack/filebeat/module/zeek/notice/config/notice.yml +++ b/x-pack/filebeat/module/zeek/notice/config/notice.yml @@ -104,4 +104,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml index 5cbc5f40514..bcdf04d899f 100644 --- a/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml +++ b/x-pack/filebeat/module/zeek/ntlm/config/ntlm.yml @@ -86,4 +86,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml b/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml index 7094312427d..d929f70633f 100644 --- a/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml +++ b/x-pack/filebeat/module/zeek/ocsp/config/ocsp.yml @@ -64,4 +64,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/pe/config/pe.yml b/x-pack/filebeat/module/zeek/pe/config/pe.yml index b0bc5a71b43..34b81b46117 100644 --- a/x-pack/filebeat/module/zeek/pe/config/pe.yml +++ b/x-pack/filebeat/module/zeek/pe/config/pe.yml @@ -33,4 +33,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/radius/config/radius.yml b/x-pack/filebeat/module/zeek/radius/config/radius.yml index 87eb92ff92d..0779807c8fe 100644 --- a/x-pack/filebeat/module/zeek/radius/config/radius.yml +++ b/x-pack/filebeat/module/zeek/radius/config/radius.yml @@ -58,4 +58,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml index 27757d6279f..f29a099da6b 100644 --- a/x-pack/filebeat/module/zeek/rdp/config/rdp.yml +++ b/x-pack/filebeat/module/zeek/rdp/config/rdp.yml @@ -88,4 +88,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml index b518662dcce..0f974ac07d7 100644 --- a/x-pack/filebeat/module/zeek/rfb/config/rfb.yml +++ b/x-pack/filebeat/module/zeek/rfb/config/rfb.yml @@ -73,4 +73,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/sip/config/sip.yml b/x-pack/filebeat/module/zeek/sip/config/sip.yml index 09501c99ff8..3530b53ce8b 100644 --- a/x-pack/filebeat/module/zeek/sip/config/sip.yml +++ b/x-pack/filebeat/module/zeek/sip/config/sip.yml @@ -95,4 +95,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml index 514e086e76b..7b0ba2dd6dc 100644 --- a/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml +++ b/x-pack/filebeat/module/zeek/smb_cmd/config/smb_cmd.yml @@ -101,4 +101,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml index e61da9cb365..aa530a6f0de 100644 --- a/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml +++ b/x-pack/filebeat/module/zeek/smb_files/config/smb_files.yml @@ -61,4 +61,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml index c1e7908205d..414432e30a6 100644 --- a/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml +++ b/x-pack/filebeat/module/zeek/smb_mapping/config/smb_mapping.yml @@ -57,4 +57,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml index f6abbf96616..cf31baf7d0c 100644 --- a/x-pack/filebeat/module/zeek/smtp/config/smtp.yml +++ b/x-pack/filebeat/module/zeek/smtp/config/smtp.yml @@ -67,4 +67,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml index 1b4587e3298..b508ee874df 100644 --- a/x-pack/filebeat/module/zeek/snmp/config/snmp.yml +++ b/x-pack/filebeat/module/zeek/snmp/config/snmp.yml @@ -69,4 +69,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/socks/config/socks.yml b/x-pack/filebeat/module/zeek/socks/config/socks.yml index 72ef4e99d53..cc486a60c40 100644 --- a/x-pack/filebeat/module/zeek/socks/config/socks.yml +++ b/x-pack/filebeat/module/zeek/socks/config/socks.yml @@ -67,4 +67,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml index c72f4424988..14e673c3e04 100644 --- a/x-pack/filebeat/module/zeek/ssh/config/ssh.yml +++ b/x-pack/filebeat/module/zeek/ssh/config/ssh.yml @@ -76,4 +76,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml index c64a851913d..cf3281a5d76 100644 --- a/x-pack/filebeat/module/zeek/ssl/config/ssl.yml +++ b/x-pack/filebeat/module/zeek/ssl/config/ssl.yml @@ -94,4 +94,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/stats/config/stats.yml b/x-pack/filebeat/module/zeek/stats/config/stats.yml index 3bbd773979e..a8fcb0ce6b9 100644 --- a/x-pack/filebeat/module/zeek/stats/config/stats.yml +++ b/x-pack/filebeat/module/zeek/stats/config/stats.yml @@ -97,4 +97,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml index cecb93d857d..167e7ea9569 100644 --- a/x-pack/filebeat/module/zeek/syslog/config/syslog.yml +++ b/x-pack/filebeat/module/zeek/syslog/config/syslog.yml @@ -57,4 +57,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml index 47bc7d2f99c..35671bd15a4 100644 --- a/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml +++ b/x-pack/filebeat/module/zeek/traceroute/config/traceroute.yml @@ -45,4 +45,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml index 0186311141c..8bf2bd3ed48 100644 --- a/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml +++ b/x-pack/filebeat/module/zeek/tunnel/config/tunnel.yml @@ -56,4 +56,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/weird/config/weird.yml b/x-pack/filebeat/module/zeek/weird/config/weird.yml index 4d3248b4515..317001ec2e4 100644 --- a/x-pack/filebeat/module/zeek/weird/config/weird.yml +++ b/x-pack/filebeat/module/zeek/weird/config/weird.yml @@ -56,4 +56,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/zeek/x509/config/x509.yml b/x-pack/filebeat/module/zeek/x509/config/x509.yml index 25b4c0a5419..0f9b418e4fa 100644 --- a/x-pack/filebeat/module/zeek/x509/config/x509.yml +++ b/x-pack/filebeat/module/zeek/x509/config/x509.yml @@ -67,4 +67,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 From 696c30cdb4bad20c139faf29ecf01e4568943433 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 9 Feb 2021 17:45:53 +0100 Subject: [PATCH 4/6] Update Filebeat azure module to ECS 1.8 (#23927) Updates azure module to add some extra ECS fields: - event.original - user.email - related.ip - related.user --- CHANGELOG.next.asciidoc | 1 + .../activitylogs/config/azure-eventhub.yml | 2 +- .../module/azure/activitylogs/config/file.yml | 2 +- .../azure/activitylogs/ingest/pipeline.yml | 36 +++++++++++++++++-- .../test/activitylogs.log-expected.json | 5 +++ .../supporttickets_write.log-expected.json | 9 +++++ .../azure/auditlogs/config/azure-eventhub.yml | 2 +- .../module/azure/auditlogs/config/file.yml | 2 +- .../azure/auditlogs/ingest/pipeline.yml | 7 ++-- .../test/auditlogs.log-expected.json | 1 + .../platformlogs/config/azure-eventhub.yml | 2 +- .../module/azure/platformlogs/config/file.yml | 2 +- .../azure/platformlogs/ingest/pipeline.yml | 16 +++++++-- .../platformlogs-eventhub.log-expected.json | 1 + .../test/platformlogs-kube.log-expected.json | 1 + .../signinlogs/config/azure-eventhub.yml | 2 +- .../module/azure/signinlogs/config/file.yml | 2 +- .../azure/signinlogs/ingest/pipeline.yml | 16 +++++++-- .../test/signinlogs.log-expected.json | 10 ++++++ 19 files changed, 99 insertions(+), 20 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 7331baaebbc..01f25ed4ddc 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -836,6 +836,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Upgrade CEF module to ECS 1.8.0. {pull}23832[23832] - Upgrade fortinet/firewall to ECS 1.8 {issue}23118[23118] {pull}23902[23902] - Upgrade Zeek to ECS 1.8.0. {issue}23118[23118] {pull}23847[23847] +- Updated azure module to ECS 1.8. {issue}23118[23118] {pull}23927[23927] *Heartbeat* diff --git a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml index 29e6d770780..8701cae46fb 100644 --- a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/azure/activitylogs/config/file.yml b/x-pack/filebeat/module/azure/activitylogs/config/file.yml index 402a1b25b12..4242dc4cd7b 100644 --- a/x-pack/filebeat/module/azure/activitylogs/config/file.yml +++ b/x-pack/filebeat/module/azure/activitylogs/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml index a7a581db2b2..d9621f0694f 100644 --- a/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/activitylogs/ingest/pipeline.yml @@ -21,10 +21,11 @@ processors: ignore_failure: true formats: - ISO8601 +- rename: + field: message + target_field: event.original - remove: - field: - - message - - azure.activitylogs.time + field: azure.activitylogs.time ignore_missing: true - rename: field: azure.activitylogs.resourceId @@ -34,6 +35,15 @@ processors: field: azure.activitylogs.callerIpAddress target_field: source.ip ignore_missing: true +- set: + field: client.ip + value: '{{source.ip}}' + ignore_empty_value: true +- append: + field: related.ip + value: '{{source.ip}}' + allow_duplicates: false + if: 'ctx.source?.ip != null' - rename: field: azure.activitylogs.level target_field: log.level @@ -223,6 +233,26 @@ processors: patterns: - '%{USERNAME:user.name}@%{HOSTNAME:user.domain}' ignore_missing: true + ignore_failure: true + +# set user.email to the original name if the above grok succeeded. +- set: + field: user.email + value: '{{azure.activitylogs.identity.claims_initiated_by_user.name}}' + ignore_empty_value: true + if: 'ctx.user?.name != null' + +# set user.name to the original name if the above grok failed (name format is not an email). +- set: + field: user.name + value: '{{azure.activitylogs.identity.claims_initiated_by_user.name}}' + ignore_empty_value: true + if: 'ctx.user?.name == null' +- append: + field: related.user + value: '{{user.name}}' + allow_duplicates: false + if: 'ctx.user?.name != null' - convert: field: azure.activitylogs.identity.claims_initiated_by_user.fullname target_field: user.full_name diff --git a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json index 3f86faee084..245269fbfb6 100644 --- a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json +++ b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json @@ -35,12 +35,14 @@ "azure.resource.namespace": "AZURELSEVENTS", "azure.resource.provider": "MICROSOFT.EVENTHUB", "azure.subscription_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "client.ip": "51.251.141.41", "cloud.provider": "azure", "event.action": "MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION", "event.dataset": "azure.activitylogs", "event.duration": 0, "event.kind": "event", "event.module": "azure", + "event.original": "{\"callerIpAddress\":\"51.251.141.41\",\"category\":\"Action\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":{\"authorization\":{\"action\":\"Microsoft.EventHub/namespaces/authorizationRules/listKeys/action\",\"evidence\":{\"principalId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"principalType\":\"ServicePrincipal\",\"role\":\"Azure EventGrid Service BuiltIn Role\",\"roleAssignmentId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"roleAssignmentScope\":\"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"roleDefinitionId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\"},\"scope\":\"/subscriptions/8a4de8b5-095c-47d0-a96f-a75130c61d53/resourceGroups/sa-hem/providers/Microsoft.EventHub/namespaces/azurelsevents/authorizationRules/RootManageSharedAccessKey\"},\"claims\":{\"aio\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"appid\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"appidacr\":\"2\",\"aud\":\"https://management.core.windows.net/\",\"exp\":\"1571904826\",\"http://schemas.microsoft.com/identity/claims/identityprovider\":\"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"iat\":\"1571875726\",\"iss\":\"https://sts.windows.net/8a4de8b5-095c-47d0-a96f-a75130c61d53/\",\"nbf\":\"1571875726\",\"uti\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ver\":\"1.0\"}},\"level\":\"Information\",\"location\":\"global\",\"operationName\":\"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/LISTKEYS/ACTION\",\"resourceId\":\"/SUBSCRIPTIONS/8a4de8b5-095c-47d0-a96f-a75130c61d53/RESOURCEGROUPS/SA-HEMA/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/AZURELSEVENTS/AUTHORIZATIONRULES/ROOTMANAGESHAREDACCESSKEY\",\"resultSignature\":\"Started.\",\"resultType\":\"Start\",\"time\":\"2019-10-24T00:13:46.3554259Z\"}", "event.type": [ "change" ], @@ -53,6 +55,9 @@ "input.type": "log", "log.level": "Information", "log.offset": 0, + "related.ip": [ + "51.251.141.41" + ], "service.type": "azure", "source.geo.continent_name": "Europe", "source.geo.country_iso_code": "GB", diff --git a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json index 5f14108e4c4..28c9ca7cd00 100644 --- a/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json +++ b/x-pack/filebeat/module/azure/activitylogs/test/supporttickets_write.log-expected.json @@ -39,12 +39,14 @@ "azure.correlation_id": "c776f9f4-36e5-4e0e-809b-c9b3c3fb62a8", "azure.resource.id": "/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841", "azure.resource.provider": "microsoft.support/supporttickets/115012112305841", + "client.ip": "111.111.111.11", "cloud.provider": "azure", "event.action": "microsoft.support/supporttickets/write", "event.dataset": "azure.activitylogs", "event.duration": -1468967296, "event.kind": "event", "event.module": "azure", + "event.original": "{\"time\":\"2015-01-21T22:14:26.9792776Z\",\"resourceId\":\"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841\",\"operationName\":\"microsoft.support/supporttickets/write\",\"category\":\"Write\",\"resultType\":\"Success\",\"resultSignature\":\"Succeeded.Created\",\"durationMs\":2826,\"callerIpAddress\":\"111.111.111.11\",\"correlationId\":\"c776f9f4-36e5-4e0e-809b-c9b3c3fb62a8\",\"identity\":{\"authorization\":{\"scope\":\"/subscriptions/s1/resourceGroups/MSSupportGroup/providers/microsoft.support/supporttickets/115012112305841\",\"action\":\"microsoft.support/supporttickets/write\",\"evidence\":{\"role\":\"Subscription Admin\"}},\"claims\":{\"aud\":\"https://management.core.windows.net/\",\"iss\":\"https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/\",\"iat\":\"1421876371\",\"nbf\":\"1421876371\",\"exp\":\"1421880271\",\"ver\":\"1.0\",\"http://schemas.microsoft.com/identity/claims/tenantid\":\"1e8d8218-c5e7-4578-9acc-9abbd5d23315 \",\"http://schemas.microsoft.com/claims/authnmethodsreferences\":\"pwd\",\"http://schemas.microsoft.com/identity/claims/objectidentifier\":\"2468adf0-8211-44e3-95xq-85137af64708\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn\":\"admin@contoso.com\",\"puid\":\"20030000801A118C\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\":\"9vckmEGF7zDKk1YzIY8k0t1_EAPaXoeHyPRn6f413zM\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\":\"John\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\":\"Smith\",\"name\":\"John Smith\",\"groups\":\"cacfe77c-e058-4712-83qw-f9b08849fd60,7f71d11d-4c41-4b23-99d2-d32ce7aa621c,31522864-0578-4ea0-9gdc-e66cc564d18c\",\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\":\" admin@contoso.com\",\"appid\":\"c44b4083-3bq0-49c1-b47d-974e53cbdf3c\",\"appidacr\":\"2\",\"http://schemas.microsoft.com/identity/claims/scope\":\"user_impersonation\",\"http://schemas.microsoft.com/claims/authnclassreference\":\"1\"}},\"level\":\"Information\",\"location\":\"global\",\"properties\":{\"statusCode\":\"Created\",\"serviceRequestId\":\"50d5cddb-8ca0-47ad-9b80-6cde2207f97c\"}}", "event.outcome": "success", "event.type": [ "change" @@ -58,6 +60,12 @@ "input.type": "log", "log.level": "Information", "log.offset": 0, + "related.ip": [ + "111.111.111.11" + ], + "related.user": [ + "admin" + ], "service.type": "azure", "source.as.number": 2516, "source.as.organization.name": "KDDI CORPORATION", @@ -71,6 +79,7 @@ "forwarded" ], "user.domain": "contoso.com", + "user.email": " admin@contoso.com", "user.full_name": "John Smith", "user.name": "admin" } diff --git a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml index f7894a5c3bf..7f5eb091550 100644 --- a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/azure/auditlogs/config/file.yml b/x-pack/filebeat/module/azure/auditlogs/config/file.yml index d24e13efdcb..ded48a1474f 100644 --- a/x-pack/filebeat/module/azure/auditlogs/config/file.yml +++ b/x-pack/filebeat/module/azure/auditlogs/config/file.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml index e6a29f6cc13..052fd9d69ae 100644 --- a/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/auditlogs/ingest/pipeline.yml @@ -39,10 +39,11 @@ processors: field: azure.auditlogs.level target_field: log.level ignore_missing: true +- rename: + field: message + target_field: event.original - remove: - field: - - message - - azure.auditlogs.time + field: azure.auditlogs.time ignore_missing: true - convert: field: azure.auditlogs.operationName diff --git a/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json b/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json index 7d18285024a..3e4e3c64313 100644 --- a/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json @@ -34,6 +34,7 @@ "event.duration": 0, "event.kind": "event", "event.module": "azure", + "event.original": "{\"category\":\"AuditLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Device Registration Service\",\"level\":\"Informational\",\"operationName\":\"Update device\",\"operationVersion\":\"1.0\",\"properties\":{\"activityDateTime\":\"2019-10-18T15:30:51.0273716+00:00\",\"activityDisplayName\":\"Update device\",\"category\":\"Device\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"id\":\"Directory_ESQ\",\"initiatedBy\":{\"app\":{\"appId\":null,\"displayName\":\"Device Registration Service\",\"servicePrincipalId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"servicePrincipalName\":null}},\"loggedByService\":\"Core Directory\",\"operationType\":\"Update\",\"result\":\"success\",\"resultReason\":\"\",\"targetResources\":[{\"displayName\":\"LAPTOP-12\",\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"modifiedProperties\":[{\"displayName\":\"Included Updated Properties\",\"newValue\":\"\\\"\\\"\",\"oldValue\":null}],\"type\":\"Device\"}]},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultSignature\":\"None\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T15:30:51.0273716Z\"}", "event.outcome": "success", "fileset.name": "auditlogs", "input.type": "log", diff --git a/x-pack/filebeat/module/azure/platformlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/platformlogs/config/azure-eventhub.yml index 496480aa1d0..80a73bc9905 100644 --- a/x-pack/filebeat/module/azure/platformlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/platformlogs/config/azure-eventhub.yml @@ -13,4 +13,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.6.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/azure/platformlogs/config/file.yml b/x-pack/filebeat/module/azure/platformlogs/config/file.yml index e9470671e07..4242dc4cd7b 100644 --- a/x-pack/filebeat/module/azure/platformlogs/config/file.yml +++ b/x-pack/filebeat/module/azure/platformlogs/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.6.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/azure/platformlogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/platformlogs/ingest/pipeline.yml index 8493ef886fe..6d68736bc8b 100644 --- a/x-pack/filebeat/module/azure/platformlogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/platformlogs/ingest/pipeline.yml @@ -28,10 +28,11 @@ processors: formats: - ISO8601 - "M/d/yyyy h:mm:ss a XXX" +- rename: + field: message + target_field: event.original - remove: - field: - - message - - azure.platformlogs.time + field: azure.platformlogs.time ignore_missing: true - rename: field: azure.platformlogs.resourceId @@ -62,6 +63,15 @@ processors: field: azure.platformlogs.callerIpAddress target_field: source.ip ignore_missing: true +- set: + field: client.ip + value: '{{source.ip}}' + ignore_empty_value: true +- append: + field: related.ip + value: '{{source.ip}}' + allow_duplicates: false + if: 'ctx.source?.ip != null' - rename: field: azure.platformlogs.level target_field: log.level diff --git a/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-eventhub.log-expected.json b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-eventhub.log-expected.json index b8a96002e14..4401b205a96 100644 --- a/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-eventhub.log-expected.json +++ b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-eventhub.log-expected.json @@ -24,6 +24,7 @@ "event.dataset": "azure.platformlogs", "event.kind": "event", "event.module": "azure", + "event.original": "{\"ActivityId\":\"30ed877c-a36b-491a-bd4d-ddd847fe55b8\",\"Caller\":\"Portal\",\"Environment\":\"PROD\",\"EventName\":\"Retreive ConsumerGroup\",\"EventProperties\":\"{\\\"SubscriptionId\\\":\\\"7657426d-c4c3-44ac-88a2-3b2cd59e6dba\\\",\\\"Namespace\\\":\\\"obstesteventhubs\\\",\\\"Via\\\":\\\"sb://obstesteventhubs.servicebus.windows.net/insights-logs-operationallogs/consumergroups?api-version=2017-04\\u0026$skip=0\\u0026$top=100\\\",\\\"TrackingId\\\":\\\"30ed877c-a36b-491a-bd4d-ddd847fe55b8_M2CH3_M2CH3_G3S2\\\"}\",\"EventTimeString\":\"11/3/2020 9:06:42 AM +00:00\",\"Region\":\"West Europe\",\"ScaleUnit\":\"PROD-AM3-AZ501\",\"Status\":\"Succeeded\",\"category\":\"OperationalLogs\",\"resourceId\":\"/SUBSCRIPTIONS/7657426D-C4C3-44AC-88A2-3B2CD59E6DBA/RESOURCEGROUPS/OBS-TEST/PROVIDERS/MICROSOFT.EVENTHUB/NAMESPACES/OBSTESTEVENTHUBS\"}", "event.outcome": "succeeded", "fileset.name": "platformlogs", "input.type": "log", diff --git a/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-kube.log-expected.json b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-kube.log-expected.json index 59669df1681..1e5b7cc84e3 100644 --- a/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-kube.log-expected.json +++ b/x-pack/filebeat/module/azure/platformlogs/test/platformlogs-kube.log-expected.json @@ -19,6 +19,7 @@ "event.dataset": "azure.platformlogs", "event.kind": "event", "event.module": "azure", + "event.original": "{\"Cloud\":\"AzureCloud\",\"Environment\":\"prod\",\"category\":\"kube-audit\",\"ccpNamespace\":\"5e4bf4baee195b00017cdbfa\",\"operationName\":\"Microsoft.ContainerService/managedClusters/diagnosticLogs/Read\",\"properties\":{\"log\":\"{\\\"kind\\\":\\\"Event\\\",\\\"apiVersion\\\":\\\"audit.k8s.io/v1\\\",\\\"level\\\":\\\"Metadata\\\",\\\"auditID\\\":\\\"22af12c3-a1fe-4f2c-99a9-3cdde671dbfe\\\"}\",\"pod\":\"kube-apiserver-666bd4b459-hjgdc\",\"stream\":\"stdout\"},\"resourceId\":\"/SUBSCRIPTIONS/70BD6E77-4B1E-4835-8896-DB77B8EEF364/RESOURCEGROUPS/OBS-INFRASTRUCTURE/PROVIDERS/MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/OBSKUBE\",\"time\":\"2020-11-09T10:57:31.0000000Z\"}", "fileset.name": "platformlogs", "input.type": "log", "log.offset": 0, diff --git a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml index b779113753b..e37c7c61a4d 100644 --- a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml @@ -12,4 +12,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/azure/signinlogs/config/file.yml b/x-pack/filebeat/module/azure/signinlogs/config/file.yml index d24e13efdcb..ded48a1474f 100644 --- a/x-pack/filebeat/module/azure/signinlogs/config/file.yml +++ b/x-pack/filebeat/module/azure/signinlogs/config/file.yml @@ -10,4 +10,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml b/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml index b156d5346d3..e20115d6b05 100644 --- a/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml +++ b/x-pack/filebeat/module/azure/signinlogs/ingest/pipeline.yml @@ -18,10 +18,11 @@ processors: ignore_failure: false formats: - ISO8601 +- rename: + field: message + target_field: event.original - remove: - field: - - message - - azure.signinlogs.time + field: azure.signinlogs.time ignore_missing: true - rename: field: azure.signinlogs.resourceId @@ -31,6 +32,15 @@ processors: field: azure.signinlogs.callerIpAddress target_field: source.ip ignore_missing: true +- set: + field: client.ip + value: '{{source.ip}}' + ignore_empty_value: true +- append: + field: related.ip + value: '{{source.ip}}' + allow_duplicates: false + if: 'ctx.source?.ip != null' - rename: field: azure.signinlogs.Level target_field: log.level diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json index db0643ccf25..75e6eb05bb2 100644 --- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json @@ -37,6 +37,7 @@ "azure.signinlogs.result_signature": "None", "azure.signinlogs.result_type": "50140", "azure.tenant_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "client.ip": "81.171.241.231", "cloud.provider": "azure", "event.action": "Sign-in activity", "event.category": [ @@ -46,6 +47,7 @@ "event.duration": 0, "event.kind": "event", "event.module": "azure", + "event.original": "{\"Level\":4,\"callerIpAddress\":\"81.171.241.231\",\"category\":\"SignInLogs\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"81.171.241.231\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"test@elastic.co\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}", "event.outcome": "failure", "event.type": [ "info" @@ -60,6 +62,9 @@ "log.level": 4, "log.offset": 0, "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", + "related.ip": [ + "81.171.241.231" + ], "service.type": "azure", "source.as.number": 8426, "source.as.organization.name": "Claranet Ltd", @@ -118,6 +123,7 @@ "azure.signinlogs.result_signature": "None", "azure.signinlogs.result_type": "50140", "azure.tenant_id": "8a4de8b5-095c-47d0-a96f-a75130c61d53", + "client.ip": "8.8.8.8", "cloud.provider": "azure", "event.action": "Sign-in activity", "event.category": [ @@ -127,6 +133,7 @@ "event.duration": 0, "event.kind": "event", "event.module": "azure", + "event.original": "{\"Level\":4,\"callerIpAddress\":\"8.8.8.8\",\"category\":\"SignInLogs\",\"correlationId\":\"a8d4eb85-90c5-740d-9af6-7a15036cd135\",\"durationMs\":0,\"identity\":\"Test LTest\",\"location\":\"FR\",\"operationName\":\"Sign-in activity\",\"operationVersion\":\"1.0\",\"properties\":{\"appDisplayName\":\"Office 365\",\"appId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"clientAppUsed\":\"Browser\",\"conditionalAccessStatus\":\"notApplied\",\"correlationId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"createdDateTime\":\"2019-10-18T04:45:48.0729893-05:00\",\"deviceDetail\":{\"browser\":\"Chrome 77.0.3865\",\"deviceId\":\"\",\"operatingSystem\":\"MacOs\"},\"id\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"ipAddress\":\"81.171.241.231\",\"isInteractive\":false,\"location\":{\"city\":\"Champs-Sur-Marne\",\"countryOrRegion\":\"FR\",\"geoCoordinates\":{\"latitude\":48.12341234,\"longitude\":2.12341234},\"state\":\"Seine-Et-Marne\"},\"originalRequestId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"processingTimeInMilliseconds\":239,\"riskDetail\":\"none\",\"riskLevelAggregated\":\"none\",\"riskLevelDuringSignIn\":\"none\",\"riskState\":\"none\",\"servicePrincipalId\":\"\",\"status\":{\"errorCode\":50140,\"failureReason\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\"},\"tokenIssuerName\":\"\",\"tokenIssuerType\":\"AzureAD\",\"userDisplayName\":\"Test LTest\",\"userId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"userPrincipalName\":\"c3813493-bf92-5123-2717-8a8b2979c38b\"},\"resourceId\":\"/tenants/8a4de8b5-095c-47d0-a96f-a75130c61d53/providers/Microsoft.aadiam\",\"resultDescription\":\"This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.\",\"resultSignature\":\"None\",\"resultType\":\"50140\",\"tenantId\":\"8a4de8b5-095c-47d0-a96f-a75130c61d53\",\"time\":\"2019-10-18T09:45:48.0729893Z\"}", "event.outcome": "failure", "event.type": [ "info" @@ -141,6 +148,9 @@ "log.level": 4, "log.offset": 1688, "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", + "related.ip": [ + "8.8.8.8" + ], "service.type": "azure", "source.as.number": 15169, "source.as.organization.name": "Google LLC", From c957e5830ec2037416a63576a026d607efeea249 Mon Sep 17 00:00:00 2001 From: Adrian Serrano Date: Tue, 9 Feb 2021 17:48:49 +0100 Subject: [PATCH 5/6] Update Filebeat aws/s3access dataset to ECS 1.8 (#23920) Update the s3access dataset. There's nothing ECS 1.8 in particular. This adds: - event.category: "web" - event.type: "access" - event.original - http.request.method - http.response.body.bytes - http.version - url.original (http request URI) Fixes: - event.duration needed to be converted to nanoseconds (was milliseconds) --- CHANGELOG.next.asciidoc | 2 + .../module/aws/s3access/config/aws-s3.yml | 2 +- .../module/aws/s3access/config/file.yml | 2 +- .../module/aws/s3access/ingest/pipeline.yml | 56 +++++++- .../test/s3_server_access.log-expected.json | 62 ++++++++- .../module/aws/s3access/test/test.log | 1 + .../aws/s3access/test/test.log-expected.json | 124 +++++++++++++++++- 7 files changed, 231 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 01f25ed4ddc..eb39f855b1e 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -379,6 +379,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix handling of ModifiedProperties field in Office 365. {pull}23777[23777] - Fix goroutines leak with some inputs in autodiscover. {pull}23722[23722] - Fix various processing errors in the Suricata module. {pull}23236[23236] +- aws/s3access dataset was populating event.duration using the wrong unit. {pull}23920[23920] *Heartbeat* @@ -837,6 +838,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Upgrade fortinet/firewall to ECS 1.8 {issue}23118[23118] {pull}23902[23902] - Upgrade Zeek to ECS 1.8.0. {issue}23118[23118] {pull}23847[23847] - Updated azure module to ECS 1.8. {issue}23118[23118] {pull}23927[23927] +- Update aws/s3access to ECS 1.8. {issue}23118[23118] {pull}23920[23920] *Heartbeat* diff --git a/x-pack/filebeat/module/aws/s3access/config/aws-s3.yml b/x-pack/filebeat/module/aws/s3access/config/aws-s3.yml index db50bdc4362..c156fac870b 100644 --- a/x-pack/filebeat/module/aws/s3access/config/aws-s3.yml +++ b/x-pack/filebeat/module/aws/s3access/config/aws-s3.yml @@ -52,4 +52,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/aws/s3access/config/file.yml b/x-pack/filebeat/module/aws/s3access/config/file.yml index 402a1b25b12..4242dc4cd7b 100644 --- a/x-pack/filebeat/module/aws/s3access/config/file.yml +++ b/x-pack/filebeat/module/aws/s3access/config/file.yml @@ -11,4 +11,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml b/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml index dd8613a904a..4dea7d027c6 100644 --- a/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml +++ b/x-pack/filebeat/module/aws/s3access/ingest/pipeline.yml @@ -1,6 +1,12 @@ description: "Pipeline for s3 server access logs" processors: + - set: + field: event.category + value: web + - append: + field: event.type + value: access - set: field: event.ingested value: '{{_ingest.timestamp}}' @@ -24,6 +30,22 @@ processors: S3ID: "[a-zA-Z0-9\\/_\\.\\-%+=]+" S3VERSION: "[a-zA-Z0-9.]+" + - grok: + field: aws.s3access.request_uri + ignore_failure: true + patterns: + - '%{NOTSPACE:http.request.method} %{NOTSPACE:url.original} [hH][tT][tT][pP]/%{NOTSPACE:http.version}' + + # + # Best-effort parse of url.original in the form /path?query" + # + - grok: + field: url.original + ignore_failure: true + patterns: + - '^%{ABS_PATH:url.path}(?:\?%{DATA:url.query})?$' + pattern_definitions: + ABS_PATH: '/[^?]*' - append: if: "ctx?.aws?.s3access?.bucket_owner != null" field: related.user @@ -99,10 +121,25 @@ processors: field: event.outcome value: success - - set: - field: event.duration - value: "{{aws.s3access.total_time}}" - ignore_empty_value: true + - convert: + field: aws.s3access.bytes_sent + target_field: http.response.body.bytes + type: long + ignore_failure: true + + - convert: + field: aws.s3access.total_time + target_field: event.duration + type: long + ignore_failure: true + + - script: + lang: painless + if: ctx.event?.duration != null + params: + MS_TO_NS: 1000000 + source: >- + ctx.event.duration *= params.MS_TO_NS; - set: field: http.request.referrer @@ -137,13 +174,18 @@ processors: field: event.kind value: event + # + # Save original message into event.original + # + - rename: + field: "message" + target_field: "event.original" + # # Remove temporary fields # - remove: - field: - - message - - _temp_ + field: _temp_ ignore_missing: true on_failure: diff --git a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json index 187f7f33589..aa9d1bf6938 100644 --- a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json +++ b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json @@ -23,12 +23,17 @@ "client.user.id": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9", "cloud.provider": "aws", "event.action": "REST.GET.LOCATION", + "event.category": "web", "event.dataset": "aws.s3access", - "event.duration": "17", + "event.duration": 17000000, "event.id": "44EE8651683CB4DA", "event.kind": "event", "event.module": "aws", + "event.original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:41 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 44EE8651683CB4DA REST.GET.LOCATION - \"GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1\" 200 - 142 - 17 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - BsCfJedfuSnds2QFoxi+E/O7M6OEWzJnw4dUaes/2hyA363sONRJKzB7EOY+Bt9DTHYUn+HoHxI= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", "geo.city_name": "Ashburn", "geo.continent_name": "North America", @@ -38,7 +43,10 @@ "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", "geo.region_name": "Virginia", + "http.request.method": "GET", + "http.response.body.bytes": 142, "http.response.status_code": 200, + "http.version": "1.1", "input.type": "log", "log.offset": 0, "related.ip": [ @@ -54,6 +62,9 @@ "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", + "url.original": "/test-s3-ks/?location&aws-account=627959692251", + "url.path": "/test-s3-ks/", + "url.query": "location&aws-account=627959692251", "user_agent.device.name": "Other", "user_agent.name": "aws-sdk-java", "user_agent.original": "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation", @@ -86,12 +97,17 @@ "client.user.id": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9", "cloud.provider": "aws", "event.action": "REST.GET.LOCATION", + "event.category": "web", "event.dataset": "aws.s3access", - "event.duration": "3", + "event.duration": 3000000, "event.id": "E26222010BCC32B6", "event.kind": "event", "event.module": "aws", + "event.original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:42 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 E26222010BCC32B6 REST.GET.LOCATION - \"GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1\" 200 - 142 - 3 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - gNl/Q1IzY6nGTBygqI3rnMz/ZFOFwOTDpSMrNca+IcEmMAd6sCIs1ZRLYDekD8LB9lrj9UdQLWE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", "geo.city_name": "Ashburn", "geo.continent_name": "North America", @@ -101,7 +117,10 @@ "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", "geo.region_name": "Virginia", + "http.request.method": "GET", + "http.response.body.bytes": 142, "http.response.status_code": 200, + "http.version": "1.1", "input.type": "log", "log.offset": 715, "related.ip": [ @@ -117,6 +136,9 @@ "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", + "url.original": "/test-s3-ks/?location&aws-account=627959692251", + "url.path": "/test-s3-ks/", + "url.query": "location&aws-account=627959692251", "user_agent.device.name": "Other", "user_agent.name": "aws-sdk-java", "user_agent.original": "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation", @@ -150,12 +172,17 @@ "client.user.id": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9", "cloud.provider": "aws", "event.action": "REST.GET.BUCKET", + "event.category": "web", "event.dataset": "aws.s3access", - "event.duration": "2", + "event.duration": 2000000, "event.id": "4DD6D17D1C5C401C", "event.kind": "event", "event.module": "aws", + "event.original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 4DD6D17D1C5C401C REST.GET.BUCKET - \"GET /test-s3-ks/?max-keys=0&encoding-type=url&aws-account=627959692251 HTTP/1.1\" 200 - 265 - 2 1 \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - KzvchfojYQnuFC4PABYVJVxIlv/f6r17LRaTSvw7x+bxj4PkkPKT1kX9x8wbqtq40iD4PC881iE= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", "geo.city_name": "Ashburn", "geo.continent_name": "North America", @@ -165,7 +192,10 @@ "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", "geo.region_name": "Virginia", + "http.request.method": "GET", + "http.response.body.bytes": 265, "http.response.status_code": 200, + "http.version": "1.1", "input.type": "log", "log.offset": 1429, "related.ip": [ @@ -181,6 +211,9 @@ "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", + "url.original": "/test-s3-ks/?max-keys=0&encoding-type=url&aws-account=627959692251", + "url.path": "/test-s3-ks/", + "url.query": "max-keys=0&encoding-type=url&aws-account=627959692251", "user_agent.device.name": "Other", "user_agent.name": "aws-sdk-java", "user_agent.original": "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation", @@ -213,12 +246,17 @@ "client.user.id": "arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9", "cloud.provider": "aws", "event.action": "REST.GET.LOCATION", + "event.category": "web", "event.dataset": "aws.s3access", - "event.duration": "4", + "event.duration": 4000000, "event.id": "706992E2F3CC3C3D", "event.kind": "event", "event.module": "aws", + "event.original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [01/Aug/2019:00:24:43 +0000] 72.21.217.31 arn:aws:sts::123456:assumed-role/AWSServiceRoleForTrustedAdvisor/TrustedAdvisor_627959692251_784ab70b-8cc9-4d37-a2ec-2ff4d0c08af9 706992E2F3CC3C3D REST.GET.LOCATION - \"GET /test-s3-ks/?location&aws-account=627959692251 HTTP/1.1\" 200 - 142 - 4 - \"-\" \"AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation\" - cIN12KTrJwx+uTBZD+opZUPE4iGypi8oG/oXGPzFk9CMuHQGuEpmAeNELdtYKDxf2TDor25Nikg= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.ap-southeast-1.amazonaws.com TLSv1.2", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", "geo.city_name": "Ashburn", "geo.continent_name": "North America", @@ -228,7 +266,10 @@ "geo.location.lon": -77.4728, "geo.region_iso_code": "US-VA", "geo.region_name": "Virginia", + "http.request.method": "GET", + "http.response.body.bytes": 142, "http.response.status_code": 200, + "http.version": "1.1", "input.type": "log", "log.offset": 2161, "related.ip": [ @@ -244,6 +285,9 @@ "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", + "url.original": "/test-s3-ks/?location&aws-account=627959692251", + "url.path": "/test-s3-ks/", + "url.query": "location&aws-account=627959692251", "user_agent.device.name": "Other", "user_agent.name": "aws-sdk-java", "user_agent.original": "AWS-Support-TrustedAdvisor, aws-internal/3 aws-sdk-java/1.11.590 Linux/4.9.137-0.1.ac.218.74.329.metal1.x86_64 OpenJDK_64-Bit_Server_VM/25.212-b03 java/1.8.0_212 vendor/Oracle_Corporation", @@ -274,11 +318,16 @@ "client.user.id": "arn:aws:iam::123456:user/test@elastic.co", "cloud.provider": "aws", "event.action": "BATCH.DELETE.OBJECT", + "event.category": "web", "event.dataset": "aws.s3access", "event.id": "8CD7A4A71E2E5C9E", "event.kind": "event", "event.module": "aws", + "event.original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 jsoriano-s3-test [10/Sep/2019:15:11:07 +0000] 77.227.156.41 arn:aws:iam::123456:user/test@elastic.co 8CD7A4A71E2E5C9E BATCH.DELETE.OBJECT jolokia-war-1.5.0.war - 204 - - 344017 - - - - - IeDW5I3wefFxU8iHOcAzi5qr+O+1bdRlcQ0AO2WGjFh7JwYM6qCoKq+1TrUshrXMlBxPFtg97Vk= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3.eu-central-1.amazonaws.com TLSv1.2", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", "geo.city_name": "Teruel", "geo.continent_name": "Europe", @@ -327,11 +376,16 @@ "client.user.id": "arn:aws:iam::123456:user/test@elastic.co", "cloud.provider": "aws", "event.action": "BATCH.DELETE.OBJECT", + "event.category": "web", "event.dataset": "aws.s3access", "event.id": "6CE38F1312D32BDD", "event.kind": "event", "event.module": "aws", + "event.original": "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2 test-s3-ks [19/Sep/2019:17:06:39 +0000] 174.29.206.152 arn:aws:iam::123456:user/test@elastic.co 6CE38F1312D32BDD BATCH.DELETE.OBJECT Screen+Shot+2019-09-09+at+9.08.44+AM.png - 204 - - 57138 - - - - - LwRa4w6DbuU48GKQiH3jDbjfTyLCbwasFBsdttugRQ+9lH4jK8lT91+HhGZKMYI3sPyKuQ9LvU0= SigV4 ECDHE-RSA-AES128-SHA AuthHeader s3-ap-southeast-1.amazonaws.com TLSv1.2", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", "geo.city_name": "Denver", "geo.continent_name": "North America", diff --git a/x-pack/filebeat/module/aws/s3access/test/test.log b/x-pack/filebeat/module/aws/s3access/test/test.log index abb17ce2b45..8e3d2c0aff1 100644 --- a/x-pack/filebeat/module/aws/s3access/test/test.log +++ b/x-pack/filebeat/module/aws/s3access/test/test.log @@ -3,3 +3,4 @@ 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be awsexamplebucket [06/Feb/2019:00:00:38 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be A1206F460EXAMPLE REST.GET.BUCKETPOLICY - "GET /awsexamplebucket?policy HTTP/1.1" 404 NoSuchBucketPolicy 297 - 38 - "-" "S3Console/0.4" - BNaBsXZQQDbssi6xMBdBU2sLt+Yf5kZDmeBUP35sFoKa3sLLeMC78iwEIWxs99CRUrbS4n11234= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be awsexamplebucket [06/Feb/2019:00:01:00 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be 7B4A0FABBEXAMPLE REST.GET.VERSIONING - "GET /awsexamplebucket?versioning HTTP/1.1" 200 - 113 - 33 - "-" "S3Console/0.4" - Ke1bUcazaN1jWuUlPJaxF64cQVpUEhoZKEG/hmy/gijN/I1DeWqDfFvnpybfEseEME/u7ME1234= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be awsexamplebucket [06/Feb/2019:00:01:57 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be DD6CC733AEXAMPLE REST.PUT.OBJECT s3-dg.pdf "PUT /awsexamplebucket/s3-dg.pdf HTTP/1.1" 200 - - 4406583 41754 28 "-" "S3Console/0.4" - 10S62Zv81kBW7BB6SX4XJ48o6kpcl6LPwEoizZQQxJd5qDSCTLX0TgS37kYUBKQW3+bPdrg1234= SigV4 ECDHE-RSA-AES128-SHA AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1 +79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be faketest [09/Feb/2021:14:48:42 +0200] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be DD6CC733AEXAMPLE REST.OPTIONS.FAKE s3-dg.pdf "OPTIONS * HTTP/1.0" 200 - - 4406583 41754 28 "-" "S3Console/0.4" - 10S62Zv81kBW7BB6SX4XJ48o6kpcl6LPwEoizZQQxJd5qDSCTLX0TgS37kYUBKQW3+bPdrg1234= SigV4 ECDHE-RSA-AES128-SHA AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1 diff --git a/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json b/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json index fb6c38fb108..f6ca4d4edf3 100644 --- a/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json +++ b/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json @@ -23,14 +23,22 @@ "client.user.id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", "cloud.provider": "aws", "event.action": "REST.GET.VERSIONING", + "event.category": "web", "event.dataset": "aws.s3access", - "event.duration": "7", + "event.duration": 7000000, "event.id": "3E57427F3EXAMPLE", "event.kind": "event", "event.module": "aws", + "event.original": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be awsexamplebucket [06/Feb/2019:00:00:38 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be 3E57427F3EXAMPLE REST.GET.VERSIONING - \"GET /awsexamplebucket?versioning HTTP/1.1\" 200 - 113 - 7 - \"-\" \"S3Console/0.4\" - s9lzHYrFp76ZVxRcpX9+5cjAnEH2ROuNkd2BHfIa6UkFVdtjf5mKR3/eTPFvsiP/XV/VLi31234= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", + "http.request.method": "GET", + "http.response.body.bytes": 113, "http.response.status_code": 200, + "http.version": "1.1", "input.type": "log", "log.offset": 0, "related.ip": [ @@ -46,6 +54,9 @@ "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", "tls.version_protocol": "tls", + "url.original": "/awsexamplebucket?versioning", + "url.path": "/awsexamplebucket", + "url.query": "versioning", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "S3Console/0.4" @@ -74,14 +85,22 @@ "client.user.id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", "cloud.provider": "aws", "event.action": "REST.GET.LOGGING_STATUS", + "event.category": "web", "event.dataset": "aws.s3access", - "event.duration": "11", + "event.duration": 11000000, "event.id": "891CE47D2EXAMPLE", "event.kind": "event", "event.module": "aws", + "event.original": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be awsexamplebucket [06/Feb/2019:00:00:38 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be 891CE47D2EXAMPLE REST.GET.LOGGING_STATUS - \"GET /awsexamplebucket?logging HTTP/1.1\" 200 - 242 - 11 - \"-\" \"S3Console/0.4\" - 9vKBE6vMhrNiWHZmb2L0mXOcqPGzQOI5XLnCtZNPxev+Hf+7tpT6sxDwDty4LHBUOZJG96N1234= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", + "http.request.method": "GET", + "http.response.body.bytes": 242, "http.response.status_code": 200, + "http.version": "1.1", "input.type": "log", "log.offset": 471, "related.ip": [ @@ -97,6 +116,9 @@ "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", "tls.version_protocol": "tls", + "url.original": "/awsexamplebucket?logging", + "url.path": "/awsexamplebucket", + "url.query": "logging", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "S3Console/0.4" @@ -126,15 +148,23 @@ "client.user.id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", "cloud.provider": "aws", "event.action": "REST.GET.BUCKETPOLICY", + "event.category": "web", "event.code": "NoSuchBucketPolicy", "event.dataset": "aws.s3access", - "event.duration": "38", + "event.duration": 38000000, "event.id": "A1206F460EXAMPLE", "event.kind": "event", "event.module": "aws", + "event.original": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be awsexamplebucket [06/Feb/2019:00:00:38 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be A1206F460EXAMPLE REST.GET.BUCKETPOLICY - \"GET /awsexamplebucket?policy HTTP/1.1\" 404 NoSuchBucketPolicy 297 - 38 - \"-\" \"S3Console/0.4\" - BNaBsXZQQDbssi6xMBdBU2sLt+Yf5kZDmeBUP35sFoKa3sLLeMC78iwEIWxs99CRUrbS4n11234= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1", "event.outcome": "failure", + "event.type": [ + "access" + ], "fileset.name": "s3access", + "http.request.method": "GET", + "http.response.body.bytes": 297, "http.response.status_code": 404, + "http.version": "1.1", "input.type": "log", "log.offset": 944, "related.ip": [ @@ -150,6 +180,9 @@ "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", "tls.version_protocol": "tls", + "url.original": "/awsexamplebucket?policy", + "url.path": "/awsexamplebucket", + "url.query": "policy", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "S3Console/0.4" @@ -178,14 +211,22 @@ "client.user.id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", "cloud.provider": "aws", "event.action": "REST.GET.VERSIONING", + "event.category": "web", "event.dataset": "aws.s3access", - "event.duration": "33", + "event.duration": 33000000, "event.id": "7B4A0FABBEXAMPLE", "event.kind": "event", "event.module": "aws", + "event.original": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be awsexamplebucket [06/Feb/2019:00:01:00 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be 7B4A0FABBEXAMPLE REST.GET.VERSIONING - \"GET /awsexamplebucket?versioning HTTP/1.1\" 200 - 113 - 33 - \"-\" \"S3Console/0.4\" - Ke1bUcazaN1jWuUlPJaxF64cQVpUEhoZKEG/hmy/gijN/I1DeWqDfFvnpybfEseEME/u7ME1234= SigV2 ECDHE-RSA-AES128-GCM-SHA256 AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", + "http.request.method": "GET", + "http.response.body.bytes": 113, "http.response.status_code": 200, + "http.version": "1.1", "input.type": "log", "log.offset": 1431, "related.ip": [ @@ -201,6 +242,9 @@ "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", "tls.version_protocol": "tls", + "url.original": "/awsexamplebucket?versioning", + "url.path": "/awsexamplebucket", + "url.query": "versioning", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "S3Console/0.4" @@ -231,14 +275,21 @@ "client.user.id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", "cloud.provider": "aws", "event.action": "REST.PUT.OBJECT", + "event.category": "web", "event.dataset": "aws.s3access", - "event.duration": "41754", + "event.duration": 41754000000, "event.id": "DD6CC733AEXAMPLE", "event.kind": "event", "event.module": "aws", + "event.original": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be awsexamplebucket [06/Feb/2019:00:01:57 +0000] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be DD6CC733AEXAMPLE REST.PUT.OBJECT s3-dg.pdf \"PUT /awsexamplebucket/s3-dg.pdf HTTP/1.1\" 200 - - 4406583 41754 28 \"-\" \"S3Console/0.4\" - 10S62Zv81kBW7BB6SX4XJ48o6kpcl6LPwEoizZQQxJd5qDSCTLX0TgS37kYUBKQW3+bPdrg1234= SigV4 ECDHE-RSA-AES128-SHA AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1", "event.outcome": "success", + "event.type": [ + "access" + ], "fileset.name": "s3access", + "http.request.method": "PUT", "http.response.status_code": 200, + "http.version": "1.1", "input.type": "log", "log.offset": 1903, "related.ip": [ @@ -254,6 +305,69 @@ "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.1", "tls.version_protocol": "tls", + "url.original": "/awsexamplebucket/s3-dg.pdf", + "url.path": "/awsexamplebucket/s3-dg.pdf", + "user_agent.device.name": "Other", + "user_agent.name": "Other", + "user_agent.original": "S3Console/0.4" + }, + { + "@timestamp": "2021-02-09T12:48:42.000Z", + "aws.s3access.authentication_type": "AuthHeader", + "aws.s3access.bucket": "faketest", + "aws.s3access.bucket_owner": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", + "aws.s3access.cipher_suite": "ECDHE-RSA-AES128-SHA", + "aws.s3access.host_header": "awsexamplebucket.s3.amazonaws.com", + "aws.s3access.host_id": "10S62Zv81kBW7BB6SX4XJ48o6kpcl6LPwEoizZQQxJd5qDSCTLX0TgS37kYUBKQW3+bPdrg1234=", + "aws.s3access.http_status": 200, + "aws.s3access.key": "s3-dg.pdf", + "aws.s3access.object_size": 4406583, + "aws.s3access.operation": "REST.OPTIONS.FAKE", + "aws.s3access.remote_ip": "192.0.2.3", + "aws.s3access.request_id": "DD6CC733AEXAMPLE", + "aws.s3access.request_uri": "OPTIONS * HTTP/1.0", + "aws.s3access.requester": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", + "aws.s3access.signature_version": "SigV4", + "aws.s3access.tls_version": "TLSV1.1", + "aws.s3access.total_time": 41754, + "aws.s3access.turn_around_time": 28, + "aws.s3access.user_agent": "S3Console/0.4", + "client.address": "192.0.2.3", + "client.ip": "192.0.2.3", + "client.user.id": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be", + "cloud.provider": "aws", + "event.action": "REST.OPTIONS.FAKE", + "event.category": "web", + "event.dataset": "aws.s3access", + "event.duration": 41754000000, + "event.id": "DD6CC733AEXAMPLE", + "event.kind": "event", + "event.module": "aws", + "event.original": "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be faketest [09/Feb/2021:14:48:42 +0200] 192.0.2.3 79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be DD6CC733AEXAMPLE REST.OPTIONS.FAKE s3-dg.pdf \"OPTIONS * HTTP/1.0\" 200 - - 4406583 41754 28 \"-\" \"S3Console/0.4\" - 10S62Zv81kBW7BB6SX4XJ48o6kpcl6LPwEoizZQQxJd5qDSCTLX0TgS37kYUBKQW3+bPdrg1234= SigV4 ECDHE-RSA-AES128-SHA AuthHeader awsexamplebucket.s3.amazonaws.com TLSV1.1", + "event.outcome": "success", + "event.type": [ + "access" + ], + "fileset.name": "s3access", + "http.request.method": "OPTIONS", + "http.response.status_code": 200, + "http.version": "1.0", + "input.type": "log", + "log.offset": 2379, + "related.ip": [ + "192.0.2.3" + ], + "related.user": [ + "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be" + ], + "service.type": "aws", + "tags": [ + "forwarded" + ], + "tls.cipher": "ECDHE-RSA-AES128-SHA", + "tls.version": "1.1", + "tls.version_protocol": "tls", + "url.original": "*", "user_agent.device.name": "Other", "user_agent.name": "Other", "user_agent.original": "S3Console/0.4" From 80123fbe031fc950a7cc4e31226a5ade68ae520a Mon Sep 17 00:00:00 2001 From: Marc Guasch Date: Wed, 10 Feb 2021 11:32:43 +0100 Subject: [PATCH 6/6] Upgrade panw module to ecs 1.8 (#23931) --- CHANGELOG.next.asciidoc | 1 + .../module/panw/panos/config/input.yml | 2 +- .../module/panw/panos/ingest/pipeline.yml | 12 + .../test/pan_inc_other.log-expected.json | 2 - .../test/pan_inc_threat.log-expected.json | 200 ------------ .../test/pan_inc_traffic.log-expected.json | 197 ------------ .../panw/panos/test/threat.log-expected.json | 228 +++++-------- .../panw/panos/test/traffic.log-expected.json | 300 ++++++------------ 8 files changed, 190 insertions(+), 752 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index eb39f855b1e..317f9a63ded 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -839,6 +839,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Upgrade Zeek to ECS 1.8.0. {issue}23118[23118] {pull}23847[23847] - Updated azure module to ECS 1.8. {issue}23118[23118] {pull}23927[23927] - Update aws/s3access to ECS 1.8. {issue}23118[23118] {pull}23920[23920] +- Upgrade panw module to ecs 1.8 {issue}23118[23118] {pull}23931[23931] *Heartbeat* diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml index 3d3f0be207f..8fa5bd12958 100644 --- a/x-pack/filebeat/module/panw/panos/config/input.yml +++ b/x-pack/filebeat/module/panw/panos/config/input.yml @@ -209,4 +209,4 @@ processors: - add_fields: target: '' fields: - ecs.version: 1.7.0 + ecs.version: 1.8.0 diff --git a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml index 3bf76a0c5c1..42d2f4ff9c1 100644 --- a/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml +++ b/x-pack/filebeat/module/panw/panos/ingest/pipeline.yml @@ -385,21 +385,25 @@ processors: - append: if: 'ctx?.source?.ip != null' field: related.ip + allow_duplicates: false value: - '{{source.ip}}' - append: if: 'ctx?.destination?.ip != null' field: related.ip + allow_duplicates: false value: - '{{destination.ip}}' - append: if: 'ctx?.source?.nat?.ip != null' field: related.ip + allow_duplicates: false value: - '{{source.nat.ip}}' - append: if: 'ctx?.destination?.nat?.ip != null' field: related.ip + allow_duplicates: false value: - '{{destination.nat.ip}}' @@ -528,43 +532,51 @@ processors: - append: field: related.user + allow_duplicates: false value: "{{client.user.name}}" if: "ctx?.client?.user?.name != null" - append: field: related.user + allow_duplicates: false value: "{{source.user.name}}" if: "ctx?.source?.user?.name != null" - append: field: related.user + allow_duplicates: false value: "{{server.user.name}}" if: "ctx?.server?.user?.name != null" - append: field: related.user + allow_duplicates: false value: "{{destination.user.name}}" if: "ctx?.destination?.user?.name != null" - append: field: related.user + allow_duplicates: false value: "{{url.username}}" if: "ctx?.url?.username != null && ctx?.url?.username != ''" allow_duplicates: false - append: field: related.hash + allow_duplicates: false value: "{{panw.panos.file.hash}}" if: "ctx?.panw?.panos?.file?.hash != null" - append: field: related.hosts + allow_duplicates: false value: "{{observer.hostname}}" if: "ctx?.observer?.hostname != null && ctx.observer?.hostname != ''" allow_duplicates: false - append: field: related.hosts + allow_duplicates: false value: "{{url.domain}}" if: "ctx?.url?.domain != null && ctx.url?.domain != ''" allow_duplicates: false diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json index 54a45d4465e..a6777dca5e6 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json @@ -803,11 +803,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json index cf6c021da90..10ea226c1ee 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json @@ -75,11 +75,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -176,11 +174,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -278,11 +274,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -380,11 +374,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -482,11 +474,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -584,11 +574,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -686,11 +674,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -787,11 +773,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -888,11 +872,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -989,11 +971,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1091,11 +1071,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1191,11 +1169,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1292,11 +1268,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1393,11 +1367,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1495,11 +1467,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1596,11 +1566,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1693,11 +1661,9 @@ "related.ip": [ "192.168.0.2", "78.159.99.224", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1795,11 +1761,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1895,11 +1859,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1995,11 +1957,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2096,11 +2056,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2196,11 +2154,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2294,11 +2250,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2389,11 +2343,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2484,11 +2436,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2579,11 +2529,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2674,11 +2622,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2769,11 +2715,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2864,11 +2808,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2959,11 +2901,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3054,11 +2994,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3149,11 +3087,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3244,11 +3180,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3338,11 +3272,9 @@ "related.ip": [ "192.168.0.2", "69.43.161.167", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3436,11 +3368,9 @@ "related.ip": [ "192.168.0.2", "202.31.187.154", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3534,11 +3464,9 @@ "related.ip": [ "192.168.0.2", "89.111.176.67", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3634,11 +3562,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3732,11 +3658,9 @@ "related.ip": [ "192.168.0.2", "208.73.210.29", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3829,11 +3753,9 @@ "related.ip": [ "192.168.0.2", "208.73.210.29", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3929,11 +3851,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4026,11 +3946,9 @@ "related.ip": [ "192.168.0.2", "208.73.210.29", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4124,11 +4042,9 @@ "related.ip": [ "192.168.0.2", "89.108.64.156", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4221,11 +4137,9 @@ "related.ip": [ "192.168.0.2", "89.108.64.156", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4307,11 +4221,9 @@ "related.ip": [ "204.232.231.46", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4413,11 +4325,9 @@ "related.ip": [ "192.168.0.2", "216.8.179.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4509,11 +4419,9 @@ "related.ip": [ "192.168.0.2", "69.43.161.154", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4605,11 +4513,9 @@ "related.ip": [ "192.168.0.2", "208.91.196.252", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4702,11 +4608,9 @@ "related.ip": [ "192.168.0.2", "208.73.210.29", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4801,11 +4705,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4900,11 +4802,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5000,11 +4900,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5100,11 +4998,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5200,11 +5096,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5289,11 +5183,9 @@ "related.ip": [ "173.236.179.57", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5395,11 +5287,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5484,11 +5374,9 @@ "related.ip": [ "91.209.163.202", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5579,11 +5467,9 @@ "related.ip": [ "122.226.169.183", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5684,11 +5570,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5773,11 +5657,9 @@ "related.ip": [ "109.201.131.15", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5865,11 +5747,9 @@ "related.ip": [ "91.209.163.202", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5968,11 +5848,9 @@ "related.ip": [ "192.168.0.2", "213.180.199.61", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6065,11 +5943,9 @@ "related.ip": [ "192.168.0.2", "213.180.199.61", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6162,11 +6038,9 @@ "related.ip": [ "192.168.0.2", "213.180.199.61", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6251,11 +6125,9 @@ "related.ip": [ "173.236.179.57", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6357,11 +6229,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6456,11 +6326,9 @@ "related.ip": [ "192.168.0.6", "207.46.140.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -6541,11 +6409,9 @@ "related.ip": [ "65.54.161.34", "192.168.0.6", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -6636,11 +6502,9 @@ "related.ip": [ "65.55.5.231", "192.168.0.6", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -6741,11 +6605,9 @@ "related.ip": [ "192.168.0.6", "65.54.71.11", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -6825,11 +6687,9 @@ "related.ip": [ "74.125.239.17", "192.168.0.6", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -6924,11 +6784,9 @@ "related.ip": [ "192.168.0.2", "208.85.40.48", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7008,11 +6866,9 @@ "related.ip": [ "74.125.224.198", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7100,11 +6956,9 @@ "related.ip": [ "188.190.124.75", "192.168.0.6", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -7194,11 +7048,9 @@ "related.ip": [ "74.125.224.200", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7285,11 +7137,9 @@ "related.ip": [ "74.125.239.3", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7376,11 +7226,9 @@ "related.ip": [ "74.125.239.3", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7467,11 +7315,9 @@ "related.ip": [ "74.125.224.200", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7566,11 +7412,9 @@ "related.ip": [ "192.168.0.2", "74.125.239.6", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7650,11 +7494,9 @@ "related.ip": [ "74.125.224.193", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7742,11 +7584,9 @@ "related.ip": [ "74.125.239.20", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7833,11 +7673,9 @@ "related.ip": [ "208.80.154.225", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -7925,11 +7763,9 @@ "related.ip": [ "208.80.154.234", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -8017,11 +7853,9 @@ "related.ip": [ "65.54.75.25", "192.168.0.6", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -8111,11 +7945,9 @@ "related.ip": [ "74.125.224.206", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -8202,11 +8034,9 @@ "related.ip": [ "74.125.224.195", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -8294,11 +8124,9 @@ "related.ip": [ "207.178.96.34", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -8388,11 +8216,9 @@ "related.ip": [ "74.125.224.195", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -8479,11 +8305,9 @@ "related.ip": [ "74.125.239.20", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -8571,11 +8395,9 @@ "related.ip": [ "66.152.109.24", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -8665,11 +8487,9 @@ "related.ip": [ "74.125.224.200", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -8764,11 +8584,9 @@ "related.ip": [ "192.168.0.2", "74.125.224.201", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -8848,11 +8666,9 @@ "related.ip": [ "74.125.224.200", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -8939,11 +8755,9 @@ "related.ip": [ "74.125.224.200", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "picard", "picard" ], "rule.name": "rule1", @@ -9038,11 +8852,9 @@ "related.ip": [ "192.168.0.2", "208.85.40.48", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -9122,11 +8934,9 @@ "related.ip": [ "74.125.224.201", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -9213,11 +9023,9 @@ "related.ip": [ "74.125.224.201", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -9304,11 +9112,9 @@ "related.ip": [ "74.125.224.200", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -9395,11 +9201,9 @@ "related.ip": [ "74.125.224.200", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -9487,11 +9291,9 @@ "related.ip": [ "74.125.224.198", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", @@ -9578,11 +9380,9 @@ "related.ip": [ "74.125.224.200", "192.168.0.2", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "jordy", "jordy" ], "rule.name": "rule1", diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json index 44f7a7790ab..a4ae1b157d9 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json @@ -77,11 +77,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -176,11 +174,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -275,11 +271,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -377,11 +371,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -479,11 +471,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -578,11 +568,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -677,11 +665,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -779,11 +765,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -881,11 +865,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -983,11 +965,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1085,11 +1065,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1187,11 +1165,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1289,11 +1265,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1391,11 +1365,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1493,11 +1465,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1595,11 +1565,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1697,11 +1665,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1799,11 +1765,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -1901,11 +1865,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2000,11 +1962,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2099,11 +2059,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2201,11 +2159,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2300,11 +2256,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2402,11 +2356,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2504,11 +2456,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2606,11 +2556,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2705,11 +2653,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2804,11 +2750,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -2906,11 +2850,9 @@ "related.ip": [ "192.168.0.2", "98.149.55.63", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3008,11 +2950,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3107,11 +3047,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3209,11 +3147,9 @@ "related.ip": [ "192.168.0.2", "212.48.10.58", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3311,11 +3247,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3410,11 +3344,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3509,11 +3441,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3611,11 +3541,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3713,11 +3641,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3812,11 +3738,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -3911,11 +3835,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4008,7 +3930,6 @@ "related.ip": [ "192.168.0.100", "8.8.8.8", - "0.0.0.0", "0.0.0.0" ], "rule.name": "rule1", @@ -4102,11 +4023,9 @@ "related.ip": [ "192.168.0.2", "62.211.68.12", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4202,7 +4121,6 @@ "related.ip": [ "192.168.0.100", "50.19.102.116", - "0.0.0.0", "0.0.0.0" ], "rule.name": "rule1", @@ -4299,11 +4217,9 @@ "related.ip": [ "192.168.0.2", "65.55.223.19", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4401,11 +4317,9 @@ "related.ip": [ "192.168.0.2", "65.55.223.24", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4498,7 +4412,6 @@ "related.ip": [ "192.168.0.100", "8.8.8.8", - "0.0.0.0", "0.0.0.0" ], "rule.name": "rule1", @@ -4595,11 +4508,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4694,11 +4605,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4796,11 +4705,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4895,11 +4802,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -4994,11 +4899,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5093,11 +4996,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5192,11 +5093,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5291,11 +5190,9 @@ "related.ip": [ "192.168.0.2", "62.211.68.12", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5393,11 +5290,9 @@ "related.ip": [ "192.168.0.2", "212.48.10.58", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5495,11 +5390,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5594,11 +5487,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5696,11 +5587,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5795,11 +5684,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5894,11 +5781,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -5996,11 +5881,9 @@ "related.ip": [ "192.168.0.2", "65.55.223.31", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6098,11 +5981,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6197,11 +6078,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6296,11 +6175,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6395,11 +6272,9 @@ "related.ip": [ "192.168.0.2", "62.211.68.12", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6494,11 +6369,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6593,11 +6466,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6692,11 +6563,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6794,11 +6663,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6893,11 +6760,9 @@ "related.ip": [ "192.168.0.2", "62.211.68.12", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -6995,11 +6860,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7094,11 +6957,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7193,11 +7054,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7295,11 +7154,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7394,11 +7251,9 @@ "related.ip": [ "192.168.0.2", "8.5.1.1", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7493,11 +7348,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7592,11 +7445,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7694,11 +7545,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7786,11 +7635,9 @@ "related.ip": [ "192.168.0.2", "192.168.0.1", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7888,11 +7735,9 @@ "related.ip": [ "192.168.0.2", "212.48.10.58", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -7990,11 +7835,9 @@ "related.ip": [ "192.168.0.2", "212.48.10.58", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8082,11 +7925,9 @@ "related.ip": [ "192.168.0.2", "192.168.0.1", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8174,11 +8015,9 @@ "related.ip": [ "192.168.0.2", "192.168.0.1", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8276,11 +8115,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8375,11 +8212,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8474,11 +8309,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8576,11 +8409,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8675,11 +8506,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8767,11 +8596,9 @@ "related.ip": [ "192.168.0.2", "192.168.0.1", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8866,11 +8693,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -8968,11 +8793,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9067,11 +8890,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9166,11 +8987,9 @@ "related.ip": [ "192.168.0.2", "205.171.2.25", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9265,11 +9084,9 @@ "related.ip": [ "192.168.0.2", "62.211.68.12", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9367,11 +9184,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9469,11 +9284,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9571,11 +9384,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9663,11 +9474,9 @@ "related.ip": [ "192.168.0.2", "192.168.0.1", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9765,11 +9574,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9867,11 +9674,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", @@ -9969,11 +9774,9 @@ "related.ip": [ "192.168.0.2", "204.232.231.46", - "0.0.0.0", "0.0.0.0" ], "related.user": [ - "crusher", "crusher" ], "rule.name": "rule1", diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json index d03e24e00c7..0d9b9000a97 100644 --- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json @@ -81,8 +81,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -186,8 +185,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -291,8 +289,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -396,8 +393,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -501,8 +497,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -606,8 +601,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -711,8 +705,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -816,8 +809,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -921,8 +913,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1026,8 +1017,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1131,8 +1121,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1236,8 +1225,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1341,8 +1329,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1446,8 +1433,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1551,8 +1537,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1656,8 +1641,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1761,8 +1745,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1866,8 +1849,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -1971,8 +1953,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2076,8 +2057,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2181,8 +2161,7 @@ "related.ip": [ "192.168.15.224", "23.72.137.131", - "192.168.1.63", - "23.72.137.131" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.137.131", @@ -2286,8 +2265,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2391,8 +2369,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2496,8 +2473,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2601,8 +2577,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2706,8 +2681,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2811,8 +2785,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -2916,8 +2889,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3021,8 +2993,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3126,8 +3097,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3231,8 +3201,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3336,8 +3305,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3441,8 +3409,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3546,8 +3513,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3651,8 +3617,7 @@ "related.ip": [ "192.168.15.224", "152.195.55.192", - "192.168.1.63", - "152.195.55.192" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "152.195.55.192", @@ -3756,8 +3721,7 @@ "related.ip": [ "192.168.15.224", "151.101.2.2", - "192.168.1.63", - "151.101.2.2" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "151.101.2.2", @@ -3864,8 +3828,7 @@ "related.ip": [ "192.168.15.224", "54.192.7.152", - "192.168.1.63", - "54.192.7.152" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.192.7.152", @@ -3972,8 +3935,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4080,8 +4042,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4188,8 +4149,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4296,8 +4256,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4404,8 +4363,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4512,8 +4470,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4620,8 +4577,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4728,8 +4684,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4836,8 +4791,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -4944,8 +4898,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -5052,8 +5005,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -5160,8 +5112,7 @@ "related.ip": [ "192.168.15.224", "52.4.120.175", - "192.168.1.63", - "52.4.120.175" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "52.4.120.175", @@ -5268,8 +5219,7 @@ "related.ip": [ "192.168.15.224", "216.58.194.98", - "192.168.1.63", - "216.58.194.98" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "216.58.194.98", @@ -5373,8 +5323,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -5478,8 +5427,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -5583,8 +5531,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -5688,8 +5635,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -5793,8 +5739,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -5898,8 +5843,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -6003,8 +5947,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -6108,8 +6051,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -6213,8 +6155,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -6318,8 +6259,7 @@ "related.ip": [ "192.168.15.224", "23.72.145.245", - "192.168.1.63", - "23.72.145.245" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "23.72.145.245", @@ -6426,8 +6366,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -6534,8 +6473,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -6642,8 +6580,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -6750,8 +6687,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -6858,8 +6794,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -6966,8 +6901,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7074,8 +7008,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7182,8 +7115,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7290,8 +7222,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7398,8 +7329,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7506,8 +7436,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7614,8 +7543,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7722,8 +7650,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7830,8 +7757,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -7938,8 +7864,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", @@ -8046,8 +7971,7 @@ "related.ip": [ "192.168.15.224", "54.209.101.70", - "192.168.1.63", - "54.209.101.70" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.ip": "54.209.101.70", diff --git a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json index 200e02370d3..a6877841bd3 100644 --- a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json @@ -86,8 +86,7 @@ "related.ip": [ "192.168.15.207", "184.51.253.152", - "192.168.1.63", - "184.51.253.152" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 5976, @@ -196,8 +195,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -309,8 +307,7 @@ "related.ip": [ "192.168.15.207", "17.253.3.202", - "192.168.1.63", - "17.253.3.202" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 1035, @@ -419,8 +416,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -532,8 +528,7 @@ "related.ip": [ "192.168.15.196", "216.58.194.99", - "192.168.1.63", - "216.58.194.99" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 1613, @@ -642,8 +637,7 @@ "related.ip": [ "192.168.15.224", "209.234.224.22", - "192.168.1.63", - "209.234.224.22" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 21111, @@ -752,8 +746,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -862,8 +855,7 @@ "related.ip": [ "192.168.15.224", "172.217.2.238", - "192.168.1.63", - "172.217.2.238" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 3732, @@ -972,8 +964,7 @@ "related.ip": [ "192.168.15.207", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 221, @@ -1082,8 +1073,7 @@ "related.ip": [ "192.168.15.207", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 221, @@ -1192,8 +1182,7 @@ "related.ip": [ "192.168.15.207", "17.249.60.78", - "192.168.1.63", - "17.249.60.78" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 5469, @@ -1302,8 +1291,7 @@ "related.ip": [ "192.168.15.207", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 224, @@ -1412,8 +1400,7 @@ "related.ip": [ "192.168.15.207", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 117, @@ -1522,8 +1509,7 @@ "related.ip": [ "192.168.15.207", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 307, @@ -1632,8 +1618,7 @@ "related.ip": [ "192.168.15.207", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 365, @@ -1742,8 +1727,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -1852,8 +1836,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 161, @@ -1962,8 +1945,7 @@ "related.ip": [ "192.168.15.224", "98.138.49.44", - "192.168.1.63", - "98.138.49.44" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 7805, @@ -2072,8 +2054,7 @@ "related.ip": [ "192.168.15.224", "72.30.3.43", - "192.168.1.63", - "72.30.3.43" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 6106, @@ -2182,8 +2163,7 @@ "related.ip": [ "192.168.15.196", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 196, @@ -2292,8 +2272,7 @@ "related.ip": [ "192.168.15.224", "172.217.9.142", - "192.168.1.63", - "172.217.9.142" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 3245, @@ -2402,8 +2381,7 @@ "related.ip": [ "192.168.15.207", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 179, @@ -2515,8 +2493,7 @@ "related.ip": [ "192.168.15.224", "54.84.80.198", - "192.168.1.63", - "54.84.80.198" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 4537, @@ -2626,8 +2603,7 @@ "related.ip": [ "192.168.15.224", "199.167.55.52", - "192.168.1.63", - "199.167.55.52" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 0, @@ -2736,8 +2712,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -2842,8 +2817,7 @@ "related.ip": [ "192.168.15.210", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 130, @@ -2949,8 +2923,7 @@ "related.ip": [ "192.168.15.224", "172.217.9.142", - "192.168.1.63", - "172.217.9.142" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 1991, @@ -3059,8 +3032,7 @@ "related.ip": [ "192.168.15.224", "151.101.2.2", - "192.168.1.63", - "151.101.2.2" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 523, @@ -3172,8 +3144,7 @@ "related.ip": [ "192.168.15.224", "216.58.194.66", - "192.168.1.63", - "216.58.194.66" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 2428, @@ -3282,8 +3253,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -3392,8 +3362,7 @@ "related.ip": [ "192.168.15.210", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 196, @@ -3502,8 +3471,7 @@ "related.ip": [ "192.168.15.224", "184.51.253.193", - "192.168.1.63", - "184.51.253.193" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 5003, @@ -3612,8 +3580,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 171, @@ -3723,8 +3690,7 @@ "related.ip": [ "192.168.15.224", "199.167.55.52", - "192.168.1.63", - "199.167.55.52" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 0, @@ -3836,8 +3802,7 @@ "related.ip": [ "192.168.15.224", "199.167.52.219", - "192.168.1.63", - "199.167.52.219" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 2316, @@ -3949,8 +3914,7 @@ "related.ip": [ "192.168.15.224", "52.71.117.196", - "192.168.1.63", - "52.71.117.196" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 13966, @@ -4059,8 +4023,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 244, @@ -4169,8 +4132,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 205, @@ -4282,8 +4244,7 @@ "related.ip": [ "192.168.15.224", "35.186.194.41", - "192.168.1.63", - "35.186.194.41" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 2302, @@ -4390,8 +4351,7 @@ "related.ip": [ "192.168.15.224", "35.201.124.9", - "192.168.1.63", - "35.201.124.9" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 6757, @@ -4503,8 +4463,7 @@ "related.ip": [ "192.168.15.224", "100.24.131.237", - "192.168.1.63", - "100.24.131.237" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 9007, @@ -4613,8 +4572,7 @@ "related.ip": [ "192.168.15.224", "184.51.252.247", - "192.168.1.63", - "184.51.252.247" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 661, @@ -4726,8 +4684,7 @@ "related.ip": [ "192.168.15.224", "35.190.88.148", - "192.168.1.63", - "35.190.88.148" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 11136, @@ -4839,8 +4796,7 @@ "related.ip": [ "192.168.15.224", "35.186.243.83", - "192.168.1.63", - "35.186.243.83" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 11136, @@ -4949,8 +4905,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 182, @@ -5059,8 +5014,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 90, @@ -5172,8 +5126,7 @@ "related.ip": [ "192.168.15.224", "100.24.165.74", - "192.168.1.63", - "100.24.165.74" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 6669, @@ -5282,8 +5235,7 @@ "related.ip": [ "192.168.15.224", "184.51.252.247", - "192.168.1.63", - "184.51.252.247" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 661, @@ -5390,8 +5342,7 @@ "related.ip": [ "192.168.15.224", "35.201.94.140", - "192.168.1.63", - "35.201.94.140" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 11136, @@ -5496,8 +5447,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -5606,8 +5556,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 144, @@ -5716,8 +5665,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 206, @@ -5826,8 +5774,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 206, @@ -5936,8 +5883,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 169, @@ -6046,8 +5992,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 132, @@ -6156,8 +6101,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 127, @@ -6266,8 +6210,7 @@ "related.ip": [ "192.168.15.196", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 105, @@ -6376,8 +6319,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 172, @@ -6486,8 +6428,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 134, @@ -6596,8 +6537,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 179, @@ -6706,8 +6646,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 218, @@ -6816,8 +6755,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 172, @@ -6926,8 +6864,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 305, @@ -7039,8 +6976,7 @@ "related.ip": [ "192.168.15.224", "66.28.0.45", - "192.168.1.63", - "66.28.0.45" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 527, @@ -7149,8 +7085,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 153, @@ -7259,8 +7194,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 169, @@ -7369,8 +7303,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 128, @@ -7479,8 +7412,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 181, @@ -7589,8 +7521,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 121, @@ -7702,8 +7633,7 @@ "related.ip": [ "192.168.15.224", "23.52.174.25", - "192.168.1.63", - "23.52.174.25" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 1246, @@ -7812,8 +7742,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 315, @@ -7922,8 +7851,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 130, @@ -8035,8 +7963,7 @@ "related.ip": [ "192.168.15.224", "54.230.5.228", - "192.168.1.63", - "54.230.5.228" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 288, @@ -8145,8 +8072,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 149, @@ -8255,8 +8181,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 202, @@ -8365,8 +8290,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 195, @@ -8475,8 +8399,7 @@ "related.ip": [ "192.168.15.195", "208.83.246.20", - "192.168.1.63", - "208.83.246.20" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 90, @@ -8584,8 +8507,7 @@ "related.ip": [ "192.168.15.196", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 192, @@ -8693,8 +8615,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 208, @@ -8802,8 +8723,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 100, @@ -8913,8 +8833,7 @@ "related.ip": [ "192.168.15.224", "35.185.88.112", - "192.168.1.63", - "35.185.88.112" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 7237, @@ -9023,8 +8942,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 109, @@ -9133,8 +9051,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 116, @@ -9243,8 +9160,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 96, @@ -9356,8 +9272,7 @@ "related.ip": [ "192.168.15.224", "50.19.85.24", - "192.168.1.63", - "50.19.85.24" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 654, @@ -9469,8 +9384,7 @@ "related.ip": [ "192.168.15.224", "50.19.85.24", - "192.168.1.63", - "50.19.85.24" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 654, @@ -9582,8 +9496,7 @@ "related.ip": [ "192.168.15.224", "50.19.85.24", - "192.168.1.63", - "50.19.85.24" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 654, @@ -9692,8 +9605,7 @@ "related.ip": [ "192.168.15.224", "104.254.150.9", - "192.168.1.63", - "104.254.150.9" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 7820, @@ -9805,8 +9717,7 @@ "related.ip": [ "192.168.15.224", "50.19.85.24", - "192.168.1.63", - "50.19.85.24" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 654, @@ -9918,8 +9829,7 @@ "related.ip": [ "192.168.15.224", "52.0.218.108", - "192.168.1.63", - "52.0.218.108" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 214, @@ -10031,8 +9941,7 @@ "related.ip": [ "192.168.15.224", "52.6.117.19", - "192.168.1.63", - "52.6.117.19" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 214, @@ -10144,8 +10053,7 @@ "related.ip": [ "192.168.15.224", "34.238.96.22", - "192.168.1.63", - "34.238.96.22" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 214, @@ -10257,8 +10165,7 @@ "related.ip": [ "192.168.15.224", "130.211.47.17", - "192.168.1.63", - "130.211.47.17" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 280, @@ -10367,8 +10274,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 172, @@ -10477,8 +10383,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 588, @@ -10587,8 +10492,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 94, @@ -10697,8 +10601,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 170, @@ -10807,8 +10710,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 94, @@ -10917,8 +10819,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 94, @@ -11027,8 +10928,7 @@ "related.ip": [ "192.168.15.224", "8.8.8.8", - "192.168.1.63", - "8.8.8.8" + "192.168.1.63" ], "rule.name": "new_outbound_from_trust", "server.bytes": 166,