From f8fa35523535d44f30a84e89c963c25aee896e99 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Tue, 5 May 2020 01:19:42 -0400 Subject: [PATCH 1/3] Disable host fields for "cloud", panw, cef modules This changes the default configuration of Filebeat to not add `host` fields to events that originated in other places. The `host` field is defined in ECS as "host on which the event happened" but for data pulled from cloud APIs for data forwarded to Filebeat from other sources (PANW, CEF) this `host` field is inaccurate. The affected "cloud" modules are azure, aws, googlecloud, o365, and okta. By default they will tag events with `cloud`. This cause the module to not add `host.name` at the input state. And then the default configuration for Filebeat was updated to add a `when` condition to the `add_host_metadata` processors to skip events containing the `cloud` tag. For PANW and CEF when data is forwarded to Filebeat from another host/device (this is most of the time) you don't want Filebeat to add `host`. So by default this modules add a `forwarded` tag to events that behaves the same as the `cloud` tag. If you configure the module to not include the `forwarded` tag (e.g. `var.tags: [my_tag]`) then Filebeat will add the `host.*` fields. And for PANW I added some additional static `observer.*` fields. Relates: #13920 --- CHANGELOG.next.asciidoc | 8 + filebeat/_meta/config/processors.yml.tmpl | 9 + filebeat/docs/modules/cef.asciidoc | 6 + filebeat/filebeat.yml | 9 +- filebeat/fileset/fileset.go | 13 + x-pack/filebeat/filebeat.yml | 9 +- .../module/aws/cloudtrail/config/file.yml | 3 + .../module/aws/cloudtrail/config/s3.yml | 3 + .../module/aws/cloudtrail/manifest.yml | 2 + .../add-user-to-group-json.log-expected.json | 3 + .../test/assume-role-json.log-expected.json | 3 + .../change-password-json.log-expected.json | 6 + .../test/console-login-json.log-expected.json | 9 + .../create-access-key-json.log-expected.json | 3 + .../test/create-group-json.log-expected.json | 6 + .../create-key-pair-json.log-expected.json | 3 + .../test/create-trail-json.log-expected.json | 3 + .../test/create-user-json.log-expected.json | 3 + ...-virtual-mfa-device-json.log-expected.json | 3 + ...activate-mfa-device-json.log-expected.json | 3 + .../delete-access-key-json.log-expected.json | 3 + .../test/delete-bucket-json.log-expected.json | 3 + .../test/delete-group-json.log-expected.json | 6 + ...lete-ssh-public-key-json.log-expected.json | 3 + .../test/delete-trail-json.log-expected.json | 3 + .../test/delete-user-json.log-expected.json | 3 + ...-virtual-mfa-device-json.log-expected.json | 3 + .../enable-mfa-device-json.log-expected.json | 3 + ...ove-user-from-group-json.log-expected.json | 3 + .../test/start-logging-json.log-expected.json | 3 + .../test/stop-logging-json.log-expected.json | 3 + .../update-access-key-json.log-expected.json | 3 + ...out-password-policy-json.log-expected.json | 3 + .../test/update-group-json.log-expected.json | 6 + ...pdate-login-profile-json.log-expected.json | 3 + ...date-ssh-public-key-json.log-expected.json | 6 + .../test/update-trail-json.log-expected.json | 6 + .../test/update-user-json.log-expected.json | 3 + ...load-ssh-public-key-json.log-expected.json | 3 + .../module/aws/cloudwatch/config/file.yml | 3 + .../module/aws/cloudwatch/config/s3.yml | 3 + .../module/aws/cloudwatch/manifest.yml | 2 + .../test/cloudwatch_ec2.log-expected.json | 30 +- .../filebeat/module/aws/ec2/config/file.yml | 3 + x-pack/filebeat/module/aws/ec2/config/s3.yml | 3 + x-pack/filebeat/module/aws/ec2/manifest.yml | 2 + .../module/aws/ec2/test/ec2.log-expected.json | 30 +- .../filebeat/module/aws/elb/config/file.yml | 3 + x-pack/filebeat/module/aws/elb/config/s3.yml | 3 + x-pack/filebeat/module/aws/elb/manifest.yml | 2 + .../application-lb-http.log-expected.json | 30 + .../aws/elb/test/elb-http.log-expected.json | 15 + .../aws/elb/test/elb-tcp.log-expected.json | 30 +- .../test/example-alb-http.log-expected.json | 27 + .../elb/test/example-http.log-expected.json | 9 + .../elb/test/example-https.log-expected.json | 3 + .../test/example-nlb-tcp.log-expected.json | 3 + .../elb/test/example-ssl.log-expected.json | 3 + .../elb/test/example-tcp.log-expected.json | 10 +- .../module/aws/s3access/config/file.yml | 2 + .../module/aws/s3access/config/s3.yml | 3 + .../filebeat/module/aws/s3access/manifest.yml | 2 + .../test/s3_server_access.log-expected.json | 18 + .../aws/s3access/test/test.log-expected.json | 15 + .../module/aws/vpcflow/config/input.yml | 2 + .../filebeat/module/aws/vpcflow/manifest.yml | 2 + .../accept-reject-traffic.log-expected.json | 20 +- .../test/custom-nat-gateway.log-expected.json | 10 +- .../custom-transit-gateway.log-expected.json | 5 +- .../aws/vpcflow/test/ipv6.log-expected.json | 5 +- .../test/no-data-skip-data.log-expected.json | 10 +- .../test/tcp-flag-sequence.log-expected.json | 5 +- .../activitylogs/config/azure-eventhub.yml | 3 + .../module/azure/activitylogs/config/file.yml | 2 + .../module/azure/activitylogs/manifest.yml | 2 + .../test/activitylogs.log-expected.json | 5 +- .../azure/auditlogs/config/azure-eventhub.yml | 3 +- .../module/azure/auditlogs/config/file.yml | 2 + .../module/azure/auditlogs/manifest.yml | 2 + .../test/auditlogs.log-expected.json | 5 +- .../signinlogs/config/azure-eventhub.yml | 2 + .../module/azure/signinlogs/config/file.yml | 2 + .../module/azure/signinlogs/manifest.yml | 2 + .../test/signinlogs.log-expected.json | 5 +- .../filebeat/module/cef/_meta/docs.asciidoc | 6 + .../filebeat/module/cef/log/config/input.yml | 3 +- x-pack/filebeat/module/cef/log/manifest.yml | 2 +- .../module/cef/log/test/cef.log-expected.json | 12 +- .../cef/log/test/checkpoint.log-expected.json | 9 +- .../log/test/fp-ngfw-smc.log-expected.json | 30 +- .../module/googlecloud/audit/config/input.yml | 2 + .../module/googlecloud/audit/manifest.yml | 3 + .../audit-log-entries.json.log-expected.json | 12 + .../googlecloud/firewall/config/input.yml | 2 + .../module/googlecloud/firewall/manifest.yml | 3 + .../firewall/test/rare.log-expected.json | 10 +- .../firewall/test/test.log-expected.json | 100 ++- .../googlecloud/vpcflow/config/input.yml | 2 + .../module/googlecloud/vpcflow/manifest.yml | 3 + ...pc-flow-log-entries.json.log-expected.json | 500 ++++++++++++--- .../module/o365/audit/config/input.yml | 2 + .../filebeat/module/o365/audit/manifest.yml | 3 + .../test/01-exchange-admin.log-expected.json | 300 +++++++++ .../test/02-exchange-item.log-expected.json | 27 + .../test/04-sharepoint.log-expected.json | 12 + .../06-sharepointfileop.log-expected.json | 33 + .../audit/test/08-azuread.log-expected.json | 300 +++++++++ .../test/11-dlp-sharepoint.log-expected.json | 21 + .../test/13-dlp-exchange.log-expected.json | 18 + .../test/14-sp-sharing-op.log-expected.json | 30 + .../15-azuread-sts-logon.log-expected.json | 207 ++++++ .../audit/test/22-yammer.log-expected.json | 6 + .../audit/test/25-ms-teams.log-expected.json | 12 + .../test/40-sec-comp-alerts.log-expected.json | 9 + .../52-data-insights-api.log-expected.json | 27 + .../module/okta/system/config/input.yml | 2 + .../filebeat/module/okta/system/manifest.yml | 2 + .../okta-system-test.json.log-expected.json | 9 + .../module/panw/panos/config/input.yml | 10 +- .../filebeat/module/panw/panos/manifest.yml | 2 +- .../test/pan_inc_other.log-expected.json | 6 +- .../test/pan_inc_threat.log-expected.json | 600 +++++++++++++++--- .../test/pan_inc_traffic.log-expected.json | 600 +++++++++++++++--- .../panw/panos/test/threat.log-expected.json | 456 ++++++++++--- .../panw/panos/test/traffic.log-expected.json | 600 +++++++++++++++--- 125 files changed, 3952 insertions(+), 565 deletions(-) create mode 100644 filebeat/_meta/config/processors.yml.tmpl diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index c7a5f461223..5d28e29db84 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -24,6 +24,13 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Improve ECS field mappings in panw module. event.outcome now only contains success/failure per ECS specification. {issue}16025[16025] {pull}17910[17910] - Improve ECS categorization field mappings for nginx module. http.request.referrer is now lowercase & http.request.referrer only populated when nginx sets a value {issue}16174[16174] {pull}17844[17844] - Improve ECS field mappings in santa module. move hash.sha256 to process.hash.sha256 & move certificate fields to santa.certificate . {issue}16180[16180] {pull}17982[17982] +- With the default configuration the cloud modules (aws, azure, googlecloud, o365, okta) +will no longer send the `host` field that contains information about the host Filebeat is +running on. This is because the `host` field specifies the host on which the event +happened. {issue}13920[13920] {pull}18223[18223] +- With the default configuration the cef and panw modules will no longer send the `host` +field. You can revert this change by configuring tags for the module and omitting +`forwarded` from the list. {issue}13920[13920] {pull}18223[18223] *Heartbeat* @@ -309,6 +316,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - When using the `json.*` setting available on some inputs, decoded fields are now deep-merged into existing event. {pull}17958[17958] - Change the `json.*` input settings implementation to merge parsed json objects with existing objects in the event instead of fully replacing them. {pull}17958[17958] - Improve ECS categorization field mappings in osquery module. {issue}16176[16176] {pull}17881[17881] +- Added `observer.vendor`, `observer.product`, and `observer.type` to PANW module events. {pull}18223[18223] *Heartbeat* diff --git a/filebeat/_meta/config/processors.yml.tmpl b/filebeat/_meta/config/processors.yml.tmpl new file mode 100644 index 00000000000..fee0a19cb60 --- /dev/null +++ b/filebeat/_meta/config/processors.yml.tmpl @@ -0,0 +1,9 @@ +{{header "Processors"}} +processors: + - add_host_metadata: + when.not.or: + - contains.tags: cloud + - contains.tags: forwarded + - add_cloud_metadata: ~ + - add_docker_metadata: ~ + - add_kubernetes_metadata: ~ diff --git a/filebeat/docs/modules/cef.asciidoc b/filebeat/docs/modules/cef.asciidoc index 38ac4e4cd5b..cb5af4a9230 100644 --- a/filebeat/docs/modules/cef.asciidoc +++ b/filebeat/docs/modules/cef.asciidoc @@ -40,6 +40,12 @@ The UDP port to listen for syslog traffic. Defaults to `9003` NOTE: Ports below 1024 require Filebeat to run as root. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[cef, forwarded]`. + [float] ==== Forcepoint NGFW Security Management Center diff --git a/filebeat/filebeat.yml b/filebeat/filebeat.yml index 51a0d40224e..c6b52f50619 100644 --- a/filebeat/filebeat.yml +++ b/filebeat/filebeat.yml @@ -172,16 +172,15 @@ output.elasticsearch: #ssl.key: "/etc/pki/client/cert.key" # ================================= Processors ================================= - -# Configure processors to enhance or manipulate events generated by the beat. - processors: - - add_host_metadata: ~ + - add_host_metadata: + when.not.or: + - contains.tags: cloud + - contains.tags: forwarded - add_cloud_metadata: ~ - add_docker_metadata: ~ - add_kubernetes_metadata: ~ - # ================================== Logging =================================== # Sets log level. The default log level is info. diff --git a/filebeat/fileset/fileset.go b/filebeat/fileset/fileset.go index e1f6da6c1da..8c296046463 100644 --- a/filebeat/fileset/fileset.go +++ b/filebeat/fileset/fileset.go @@ -27,6 +27,7 @@ import ( "io/ioutil" "os" "path/filepath" + "reflect" "runtime" "strings" "text/template" @@ -290,6 +291,18 @@ func getTemplateFunctions(vars map[string]interface{}) (template.FuncMap, error) } return template.FuncMap{ + "inList": func(collection []interface{}, item string) bool { + for _, h := range collection { + if reflect.DeepEqual(item, h) { + return true + } + } + return false + }, + "tojson": func(v interface{}) (string, error) { + bytes, err := json.Marshal(v) + return string(bytes), err + }, "IngestPipeline": func(shortID string) string { return formatPipelineID( builtinVars["prefix"].(string), diff --git a/x-pack/filebeat/filebeat.yml b/x-pack/filebeat/filebeat.yml index 51a0d40224e..c6b52f50619 100644 --- a/x-pack/filebeat/filebeat.yml +++ b/x-pack/filebeat/filebeat.yml @@ -172,16 +172,15 @@ output.elasticsearch: #ssl.key: "/etc/pki/client/cert.key" # ================================= Processors ================================= - -# Configure processors to enhance or manipulate events generated by the beat. - processors: - - add_host_metadata: ~ + - add_host_metadata: + when.not.or: + - contains.tags: cloud + - contains.tags: forwarded - add_cloud_metadata: ~ - add_docker_metadata: ~ - add_kubernetes_metadata: ~ - # ================================== Logging =================================== # Sets log level. The default log level is info. diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/file.yml b/x-pack/filebeat/module/aws/cloudtrail/config/file.yml index 009b03388f7..b80698e7051 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/config/file.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/config/file.yml @@ -4,6 +4,9 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml b/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml index 4ab358804c9..176789e9e06 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml @@ -38,6 +38,9 @@ session_token: {{ .session_token }} role_arn: {{ .role_arn }} {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/cloudtrail/manifest.yml b/x-pack/filebeat/module/aws/cloudtrail/manifest.yml index 16d188c1c0d..774964c2f49 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/manifest.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/manifest.yml @@ -13,6 +13,8 @@ var: - name: secret_access_key - name: session_token - name: role_arn + - name: tags + default: [cloud] ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json index 9b36d634481..bc301dd3fb4 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json @@ -27,6 +27,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json index 78ad7dc6984..6a236c97c21 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json @@ -34,6 +34,9 @@ "source.geo.region_iso_code": "CN-CQ", "source.geo.region_name": "Chongqing", "source.ip": "123.145.67.89", + "tags": [ + "cloud" + ], "user.id": "AROAIN5ATK5U7KEXAMPLE:JohnRole1", "user_agent.device.name": "Spider", "user_agent.name": "aws-cli", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json index 02532f93aa8..58e03e3bfa6 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json @@ -26,6 +26,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Spider", @@ -58,6 +61,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json index 6735d4bbe9a..c32cfe18198 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json @@ -27,6 +27,9 @@ "service.type": "aws", "source.address": "192.0.2.110", "source.ip": "192.0.2.110", + "tags": [ + "cloud" + ], "user.id": "AIDACKCEVSQ6C2EXAMPLE", "user.name": "JohnDoe", "user_agent.device.name": "Other", @@ -66,6 +69,9 @@ "service.type": "aws", "source.address": "192.0.2.100", "source.ip": "192.0.2.100", + "tags": [ + "cloud" + ], "user.id": "AIDACKCEVSQ6C2EXAMPLE", "user.name": "JaneDoe", "user_agent.device.name": "Other", @@ -111,6 +117,9 @@ "service.type": "aws", "source.address": "192.0.2.100", "source.ip": "192.0.2.100", + "tags": [ + "cloud" + ], "user.id": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName", "user.name": "RoleToBeAssumed", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json index 43fa88f05f0..3aa2ab09f17 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json @@ -32,6 +32,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json index 1e07ca70e81..82c33d3b896 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json @@ -29,6 +29,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Other", @@ -63,6 +66,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json index 1c66362a9fc..60f6a4c6663 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json @@ -32,6 +32,9 @@ "source.geo.region_iso_code": "US-VA", "source.geo.region_name": "Virginia", "source.ip": "72.21.198.64", + "tags": [ + "cloud" + ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json index 7c9bc46ca8d..88dd494e9ba 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json @@ -30,6 +30,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json index 2a0bd3b19cd..0c53b7defd5 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json @@ -26,6 +26,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json index e46d89a5c6d..27c2f3be030 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json @@ -28,6 +28,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json index 34ac136cd52..ba60076503e 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json @@ -31,6 +31,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json index 698cae731a1..e00bb042198 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json @@ -31,6 +31,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json index 31274005d66..004c95257d8 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json @@ -27,6 +27,9 @@ "service.type": "aws", "source.address": "192.0.2.1", "source.ip": "192.0.2.1", + "tags": [ + "cloud" + ], "user.id": "AIDAQRSTUVWXYZEXAMPLE:devdsk", "user_agent.device.name": "Spider", "user_agent.name": "aws-cli", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json index 6e058b71108..98c21fa1b3d 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json @@ -28,6 +28,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Other", @@ -62,6 +65,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_PRINCIPLE", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json index b39ab00d2e2..f509495d499 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json @@ -31,6 +31,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json index b55a58cfc54..ec5abd05e25 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json @@ -26,6 +26,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json index 8d3c1a55edc..e11b61af4a4 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json @@ -31,6 +31,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json index 81eae87f97c..13b67017a66 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json @@ -28,6 +28,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json index 0692ebb0222..05de75f2fe1 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json @@ -30,6 +30,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json index 36772d56aaf..089c152669e 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json @@ -31,6 +31,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json index d71f69eb606..47ef901ef20 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json @@ -29,6 +29,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json index a313846b14c..41b5d2802b1 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json @@ -29,6 +29,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json index b67deb55c2e..b28c382f2f9 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json @@ -31,6 +31,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json index c643a0df09f..944c843e78f 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json @@ -28,6 +28,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json index 4f51063cadf..cae0aebcfda 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json @@ -25,6 +25,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Spider", @@ -60,6 +63,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "0123456789012", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json index 44d123d3591..fa962e1a918 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json @@ -31,6 +31,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json index fa9671014a7..64ca82a5697 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json @@ -31,6 +31,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", @@ -69,6 +72,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json index fec80eef8de..88637b379a7 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json @@ -34,6 +34,9 @@ "source.geo.region_iso_code": "US-OR", "source.geo.region_name": "Oregon", "source.ip": "205.251.233.182", + "tags": [ + "cloud" + ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Spider", @@ -73,6 +76,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json index ace5d1290d2..85ed8870e54 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json @@ -29,6 +29,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json index bbed1e444f6..947d2c0aeb4 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json @@ -32,6 +32,9 @@ "service.type": "aws", "source.address": "127.0.0.1", "source.ip": "127.0.0.1", + "tags": [ + "cloud" + ], "user.id": "EXAMPLE_ID", "user.name": "Alice", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/aws/cloudwatch/config/file.yml b/x-pack/filebeat/module/aws/cloudwatch/config/file.yml index 009b03388f7..b80698e7051 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/config/file.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/config/file.yml @@ -4,6 +4,9 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml b/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml index 75d02f1cbbb..ca998a4e1d1 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml @@ -37,6 +37,9 @@ session_token: {{ .session_token }} role_arn: {{ .role_arn }} {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/cloudwatch/manifest.yml b/x-pack/filebeat/module/aws/cloudwatch/manifest.yml index 16d188c1c0d..774964c2f49 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/manifest.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/manifest.yml @@ -13,6 +13,8 @@ var: - name: secret_access_key - name: session_token - name: role_arn + - name: tags + default: [cloud] ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log-expected.json b/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log-expected.json index bdc8b0c3a72..7520b2763f5 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log-expected.json @@ -8,7 +8,10 @@ "input.type": "log", "log.offset": 0, "message": "2020-02-20T07:01:01.000Z Feb 20 07:01:01 ip-172-31-81-156 systemd: Stopping User Slice of root.", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "cloud" + ] }, { "@timestamp": "2020-02-20T07:02:18.000Z", @@ -19,7 +22,10 @@ "input.type": "log", "log.offset": 96, "message": "2020-02-20T07:02:18.000Z Feb 20 07:02:18 ip-172-31-81-156 dhclient[3000]: XMT: Solicit on eth0, interval 125240ms.", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "cloud" + ] }, { "@timestamp": "2020-02-20T07:02:37.000Z", @@ -30,7 +36,10 @@ "input.type": "log", "log.offset": 211, "message": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22)", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "cloud" + ] }, { "@timestamp": "2020-02-20T07:02:37.000Z", @@ -41,7 +50,10 @@ "input.type": "log", "log.offset": 345, "message": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPACK from 172.31.80.1 (xid=0x4575af22)", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "cloud" + ] }, { "@timestamp": "2020-02-20T07:02:37.000Z", @@ -52,7 +64,10 @@ "input.type": "log", "log.offset": 461, "message": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: bound to 172.31.81.156 -- renewal in 1599 seconds.", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "cloud" + ] }, { "@timestamp": "2020-02-20T07:02:37.000Z", @@ -63,6 +78,9 @@ "input.type": "log", "log.offset": 586, "message": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "cloud" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/ec2/config/file.yml b/x-pack/filebeat/module/aws/ec2/config/file.yml index 009b03388f7..b80698e7051 100644 --- a/x-pack/filebeat/module/aws/ec2/config/file.yml +++ b/x-pack/filebeat/module/aws/ec2/config/file.yml @@ -4,6 +4,9 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/ec2/config/s3.yml b/x-pack/filebeat/module/aws/ec2/config/s3.yml index 75d02f1cbbb..ca998a4e1d1 100644 --- a/x-pack/filebeat/module/aws/ec2/config/s3.yml +++ b/x-pack/filebeat/module/aws/ec2/config/s3.yml @@ -37,6 +37,9 @@ session_token: {{ .session_token }} role_arn: {{ .role_arn }} {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/ec2/manifest.yml b/x-pack/filebeat/module/aws/ec2/manifest.yml index 16d188c1c0d..774964c2f49 100644 --- a/x-pack/filebeat/module/aws/ec2/manifest.yml +++ b/x-pack/filebeat/module/aws/ec2/manifest.yml @@ -13,6 +13,8 @@ var: - name: secret_access_key - name: session_token - name: role_arn + - name: tags + default: [cloud] ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/ec2/test/ec2.log-expected.json b/x-pack/filebeat/module/aws/ec2/test/ec2.log-expected.json index c2635e6a802..60ae1b62a53 100644 --- a/x-pack/filebeat/module/aws/ec2/test/ec2.log-expected.json +++ b/x-pack/filebeat/module/aws/ec2/test/ec2.log-expected.json @@ -9,7 +9,10 @@ "log.offset": 0, "message": "Stopping User Slice of root.", "process.name": "systemd", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "cloud" + ] }, { "@timestamp": "2020-02-20T07:02:18.000Z", @@ -22,7 +25,10 @@ "message": "XMT: Solicit on eth0, interval 125240ms.", "process.name": "dhclient", "process.pid": "3000", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "cloud" + ] }, { "@timestamp": "2020-02-20T07:02:37.000Z", @@ -35,7 +41,10 @@ "message": "DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22)", "process.name": "dhclient", "process.pid": "2898", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "cloud" + ] }, { "@timestamp": "2020-02-20T07:02:37.000Z", @@ -48,7 +57,10 @@ "message": "DHCPACK from 172.31.80.1 (xid=0x4575af22)", "process.name": "dhclient", "process.pid": "2898", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "cloud" + ] }, { "@timestamp": "2020-02-20T07:02:37.000Z", @@ -61,7 +73,10 @@ "message": "bound to 172.31.81.156 -- renewal in 1599 seconds.", "process.name": "dhclient", "process.pid": "2898", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "cloud" + ] }, { "@timestamp": "2020-02-20T07:02:37.000Z", @@ -73,6 +88,9 @@ "log.offset": 586, "message": "[get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s", "process.name": "ec2net", - "service.type": "aws" + "service.type": "aws", + "tags": [ + "cloud" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/elb/config/file.yml b/x-pack/filebeat/module/aws/elb/config/file.yml index 9628dd63bad..dd115d9b78b 100644 --- a/x-pack/filebeat/module/aws/elb/config/file.yml +++ b/x-pack/filebeat/module/aws/elb/config/file.yml @@ -4,6 +4,9 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/elb/config/s3.yml b/x-pack/filebeat/module/aws/elb/config/s3.yml index 75d02f1cbbb..ca998a4e1d1 100644 --- a/x-pack/filebeat/module/aws/elb/config/s3.yml +++ b/x-pack/filebeat/module/aws/elb/config/s3.yml @@ -37,6 +37,9 @@ session_token: {{ .session_token }} role_arn: {{ .role_arn }} {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/elb/manifest.yml b/x-pack/filebeat/module/aws/elb/manifest.yml index 418becaf828..5ecd7ac5cfe 100644 --- a/x-pack/filebeat/module/aws/elb/manifest.yml +++ b/x-pack/filebeat/module/aws/elb/manifest.yml @@ -13,6 +13,8 @@ var: - name: secret_access_key - name: session_token - name: role_arn + - name: tags + default: [cloud] ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json index 093cc1fc2e7..ee4c5539c50 100644 --- a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json @@ -41,6 +41,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "56398", + "tags": [ + "cloud" + ], "tracing.trace.id": "Root=1-5da09932-2c342a443bfb96249aa50ed7", "user_agent.original": "curl/7.58.0" }, @@ -86,6 +89,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "56488", + "tags": [ + "cloud" + ], "tracing.trace.id": "Root=1-5da09954-2c342a443bfb96249aa50ed7", "user_agent.original": "curl/7.58.0" }, @@ -131,6 +137,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "56416", + "tags": [ + "cloud" + ], "tracing.trace.id": "Root=1-5da09938-d9c72660e247c36070017828", "user_agent.original": "curl/7.58.0" }, @@ -176,6 +185,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "56448", + "tags": [ + "cloud" + ], "tracing.trace.id": "Root=1-5da09945-0eaa8050df7d96f84806ded0", "user_agent.original": "curl/7.58.0" }, @@ -221,6 +233,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "56602", + "tags": [ + "cloud" + ], "tracing.trace.id": "Root=1-5da0997a-5add00b04bc8ae20ae96d9f0", "user_agent.original": "curl/7.58.0" }, @@ -266,6 +281,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "56638", + "tags": [ + "cloud" + ], "tracing.trace.id": "Root=1-5da09987-cc391940b332434860dfa848", "user_agent.original": "curl/7.58.0" }, @@ -311,6 +329,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "37632", + "tags": [ + "cloud" + ], "tracing.trace.id": "Root=1-5da099cb-3d3b17eb2b75373f4c0c36c5", "user_agent.original": "curl/7.58.0" }, @@ -360,6 +381,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "37838", + "tags": [ + "cloud" + ], "tracing.trace.id": "Root=1-5da0a5dd-4d9a423a0e9a782fe2f390af", "user_agent.original": "curl/7.58.0" }, @@ -409,6 +433,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "37850", + "tags": [ + "cloud" + ], "tracing.trace.id": "Root=1-5da0a5df-7d64cabe9955b4df9acc800a", "user_agent.original": "curl/7.58.0" }, @@ -458,6 +485,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "37856", + "tags": [ + "cloud" + ], "tracing.trace.id": "Root=1-5da0a5df-7c958e828ff43b63d0e0fac4", "user_agent.original": "curl/7.58.0" } diff --git a/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json index f8b0d751e75..36b697498ef 100644 --- a/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json @@ -37,6 +37,9 @@ "source.geo.region_name": "Moscow", "source.ip": "78.24.182.42", "source.port": "54106", + "tags": [ + "cloud" + ], "user_agent.original": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" }, { @@ -77,6 +80,9 @@ "source.geo.region_name": "Moscow Oblast", "source.ip": "31.135.65.4", "source.port": "54001", + "tags": [ + "cloud" + ], "user_agent.original": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" }, { @@ -117,6 +123,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "52406", + "tags": [ + "cloud" + ], "user_agent.original": "curl/7.58.0" }, { @@ -157,6 +166,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "52410", + "tags": [ + "cloud" + ], "user_agent.original": "curl/7.58.0" }, { @@ -197,6 +209,9 @@ "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", "source.port": "52414", + "tags": [ + "cloud" + ], "user_agent.original": "curl/7.58.0" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json index c587af8defb..47a50ccecf9 100644 --- a/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json @@ -30,7 +30,10 @@ "source.geo.region_iso_code": "ES-TE", "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", - "source.port": "51600" + "source.port": "51600", + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-10-17T13:23:07.523Z", @@ -63,7 +66,10 @@ "source.geo.region_iso_code": "ES-TE", "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", - "source.port": "51726" + "source.port": "51726", + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-10-17T13:23:08.477Z", @@ -96,7 +102,10 @@ "source.geo.region_iso_code": "ES-TE", "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", - "source.port": "51734" + "source.port": "51734", + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-10-17T13:23:09.174Z", @@ -129,7 +138,10 @@ "source.geo.region_iso_code": "ES-TE", "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", - "source.port": "51738" + "source.port": "51738", + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-10-17T13:26:14.308Z", @@ -162,7 +174,10 @@ "source.geo.region_iso_code": "ES-TE", "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", - "source.port": "46288" + "source.port": "46288", + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-10-17T13:26:19.318Z", @@ -195,6 +210,9 @@ "source.geo.region_iso_code": "ES-TE", "source.geo.region_name": "Teruel", "source.ip": "77.227.156.41", - "source.port": "46304" + "source.port": "46304", + "tags": [ + "cloud" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json index 1a46cee8d85..fc916f87a3e 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json @@ -36,6 +36,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "cloud" + ], "tracing.trace.id": "Root=1-58337262-36d228ad5d99923122bbe354", "user_agent.original": "curl/7.46.0" }, @@ -81,6 +84,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "cloud" + ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.2", "tls.version_protocol": "tls", @@ -127,6 +133,9 @@ "service.type": "aws", "source.ip": "10.0.1.252", "source.port": "48160", + "tags": [ + "cloud" + ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.2", "tls.version_protocol": "tls", @@ -170,6 +179,9 @@ "service.type": "aws", "source.ip": "10.0.0.140", "source.port": "40914", + "tags": [ + "cloud" + ], "tracing.trace.id": "Root=1-58337364-23a8c76965a2ef7629b185e3", "user_agent.original": "-" }, @@ -204,6 +216,9 @@ "service.type": "aws", "source.ip": "10.0.0.140", "source.port": "44244", + "tags": [ + "cloud" + ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.2", "tls.version_protocol": "tls", @@ -244,6 +259,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "cloud" + ], "tracing.trace.id": "Root=1-58337364-23a8c76965a2ef7629b185e3", "user_agent.original": "curl/7.46.0" }, @@ -282,6 +300,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "cloud" + ], "tracing.trace.id": "Root=1-58337364-23a8c76965a2ef7629b185e3", "user_agent.original": "curl/7.46.0" }, @@ -311,6 +332,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "cloud" + ], "tracing.trace.id": "-", "user_agent.original": "-" }, @@ -339,6 +363,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "cloud" + ], "tracing.trace.id": "-", "user_agent.original": "-" } diff --git a/x-pack/filebeat/module/aws/elb/test/example-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-http.log-expected.json index 72f9a57f6e3..4d039e3a34c 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-http.log-expected.json @@ -28,6 +28,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "cloud" + ], "user_agent.original": "curl/7.38.0" }, { @@ -53,6 +56,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "cloud" + ], "user_agent.original": "curl/7.38.0" }, { @@ -77,6 +83,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "cloud" + ], "user_agent.original": "-" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/elb/test/example-https.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-https.log-expected.json index ef09a37d579..f3431eec5ea 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-https.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-https.log-expected.json @@ -30,6 +30,9 @@ "service.type": "aws", "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "cloud" + ], "tls.cipher": "DHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", diff --git a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json index 74c1c0e8cc7..8421e2490aa 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json @@ -36,6 +36,9 @@ "source.geo.region_name": "Virginia", "source.ip": "72.21.218.154", "source.port": "51341", + "tags": [ + "cloud" + ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls" diff --git a/x-pack/filebeat/module/aws/elb/test/example-ssl.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-ssl.log-expected.json index 84f2748861c..1631ca8436f 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-ssl.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-ssl.log-expected.json @@ -24,6 +24,9 @@ "source.bytes": 57, "source.ip": "192.168.131.39", "source.port": "2817", + "tags": [ + "cloud" + ], "tls.cipher": "ECDHE-ECDSA-AES128-GCM-SHA256", "tls.version": "1.2", "tls.version_protocol": "tls" diff --git a/x-pack/filebeat/module/aws/elb/test/example-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-tcp.log-expected.json index af89134a830..cbbfcd5c2d7 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-tcp.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-tcp.log-expected.json @@ -21,7 +21,10 @@ "service.type": "aws", "source.bytes": 82, "source.ip": "192.168.131.39", - "source.port": "2817" + "source.port": "2817", + "tags": [ + "cloud" + ] }, { "@timestamp": "2015-05-13T23:39:43.945Z", @@ -40,6 +43,9 @@ "service.type": "aws", "source.bytes": 82, "source.ip": "192.168.131.39", - "source.port": "2817" + "source.port": "2817", + "tags": [ + "cloud" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/s3access/config/file.yml b/x-pack/filebeat/module/aws/s3access/config/file.yml index 52fc73f363d..dd115d9b78b 100644 --- a/x-pack/filebeat/module/aws/s3access/config/file.yml +++ b/x-pack/filebeat/module/aws/s3access/config/file.yml @@ -4,6 +4,8 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} processors: - add_fields: diff --git a/x-pack/filebeat/module/aws/s3access/config/s3.yml b/x-pack/filebeat/module/aws/s3access/config/s3.yml index 75d02f1cbbb..ca998a4e1d1 100644 --- a/x-pack/filebeat/module/aws/s3access/config/s3.yml +++ b/x-pack/filebeat/module/aws/s3access/config/s3.yml @@ -37,6 +37,9 @@ session_token: {{ .session_token }} role_arn: {{ .role_arn }} {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} + processors: - add_fields: target: '' diff --git a/x-pack/filebeat/module/aws/s3access/manifest.yml b/x-pack/filebeat/module/aws/s3access/manifest.yml index 16d188c1c0d..774964c2f49 100644 --- a/x-pack/filebeat/module/aws/s3access/manifest.yml +++ b/x-pack/filebeat/module/aws/s3access/manifest.yml @@ -13,6 +13,8 @@ var: - name: secret_access_key - name: session_token - name: role_arn + - name: tags + default: [cloud] ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json index b312118a644..ff117b32a06 100644 --- a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json +++ b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json @@ -47,6 +47,9 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "service.type": "aws", + "tags": [ + "cloud" + ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", @@ -106,6 +109,9 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "service.type": "aws", + "tags": [ + "cloud" + ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", @@ -166,6 +172,9 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "service.type": "aws", + "tags": [ + "cloud" + ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", @@ -225,6 +234,9 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "service.type": "aws", + "tags": [ + "cloud" + ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls", @@ -281,6 +293,9 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "service.type": "aws", + "tags": [ + "cloud" + ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls" @@ -330,6 +345,9 @@ "36c1f05b76016b78528454e6e0c60e2b7ff7aa20c0a5e4c748276e5b0a2debd2" ], "service.type": "aws", + "tags": [ + "cloud" + ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", "tls.version_protocol": "tls" diff --git a/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json b/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json index 61baec94c6c..c815f5156f9 100644 --- a/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json +++ b/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json @@ -40,6 +40,9 @@ "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be" ], "service.type": "aws", + "tags": [ + "cloud" + ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", "tls.version_protocol": "tls", @@ -88,6 +91,9 @@ "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be" ], "service.type": "aws", + "tags": [ + "cloud" + ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", "tls.version_protocol": "tls", @@ -138,6 +144,9 @@ "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be" ], "service.type": "aws", + "tags": [ + "cloud" + ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", "tls.version_protocol": "tls", @@ -186,6 +195,9 @@ "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be" ], "service.type": "aws", + "tags": [ + "cloud" + ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", "tls.version_protocol": "tls", @@ -236,6 +248,9 @@ "79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be" ], "service.type": "aws", + "tags": [ + "cloud" + ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.1", "tls.version_protocol": "tls", diff --git a/x-pack/filebeat/module/aws/vpcflow/config/input.yml b/x-pack/filebeat/module/aws/vpcflow/config/input.yml index 82d4d2dec23..57a97aa886e 100644 --- a/x-pack/filebeat/module/aws/vpcflow/config/input.yml +++ b/x-pack/filebeat/module/aws/vpcflow/config/input.yml @@ -49,6 +49,8 @@ paths: exclude_files: [".gz$"] {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} processors: - drop_event: diff --git a/x-pack/filebeat/module/aws/vpcflow/manifest.yml b/x-pack/filebeat/module/aws/vpcflow/manifest.yml index 2bcc4d6cbe5..4b50161da99 100644 --- a/x-pack/filebeat/module/aws/vpcflow/manifest.yml +++ b/x-pack/filebeat/module/aws/vpcflow/manifest.yml @@ -13,6 +13,8 @@ var: - name: secret_access_key - name: session_token - name: role_arn + - name: tags + default: [cloud] ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json index f31e0bf9931..70f0bd1e835 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json @@ -53,7 +53,10 @@ "source.geo.region_name": "Moscow", "source.ip": "78.24.182.42", "source.packets": 20, - "source.port": 20641 + "source.port": 20641, + "tags": [ + "cloud" + ] }, { "@timestamp": "2014-12-14T04:07:50.000Z", @@ -109,7 +112,10 @@ "source.geo.region_name": "Moscow", "source.ip": "78.24.182.42", "source.packets": 20, - "source.port": 49761 + "source.port": 49761, + "tags": [ + "cloud" + ] }, { "@timestamp": "2015-05-29T16:32:22.000Z", @@ -149,7 +155,10 @@ "source.bytes": 336, "source.ip": "203.0.113.12", "source.packets": 4, - "source.port": 0 + "source.port": 0, + "tags": [ + "cloud" + ] }, { "@timestamp": "2015-05-29T16:32:22.000Z", @@ -189,6 +198,9 @@ "source.bytes": 336, "source.ip": "172.31.16.139", "source.packets": 4, - "source.port": 0 + "source.port": 0, + "tags": [ + "cloud" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/vpcflow/test/custom-nat-gateway.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/custom-nat-gateway.log-expected.json index a1e34b59b5c..b8e660f4f58 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/custom-nat-gateway.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/custom-nat-gateway.log-expected.json @@ -23,7 +23,10 @@ ], "service.type": "aws", "source.address": "10.0.1.5", - "source.ip": "10.0.1.5" + "source.ip": "10.0.1.5", + "tags": [ + "cloud" + ] }, { "aws.vpcflow.instance_id": "i-01234567890123456", @@ -50,6 +53,9 @@ ], "service.type": "aws", "source.address": "10.0.1.5", - "source.ip": "10.0.1.5" + "source.ip": "10.0.1.5", + "tags": [ + "cloud" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/vpcflow/test/custom-transit-gateway.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/custom-transit-gateway.log-expected.json index d288b8b06db..a822c8ed25a 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/custom-transit-gateway.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/custom-transit-gateway.log-expected.json @@ -39,6 +39,9 @@ "service.type": "aws", "source.address": "10.20.33.164", "source.ip": "10.20.33.164", - "source.port": 39812 + "source.port": 39812, + "tags": [ + "cloud" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/vpcflow/test/ipv6.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/ipv6.log-expected.json index 12899b7b728..47c65c5d734 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/ipv6.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/ipv6.log-expected.json @@ -38,6 +38,9 @@ "source.bytes": 8855, "source.ip": "2001:db8:1234:a100:8d6e:3477:df66:f105", "source.packets": 54, - "source.port": 34892 + "source.port": 34892, + "tags": [ + "cloud" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/vpcflow/test/no-data-skip-data.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/no-data-skip-data.log-expected.json index 456b3efca62..081d0b654ca 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/no-data-skip-data.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/no-data-skip-data.log-expected.json @@ -19,7 +19,10 @@ "fileset.name": "vpcflow", "input.type": "log", "log.offset": 0, - "service.type": "aws" + "service.type": "aws", + "tags": [ + "cloud" + ] }, { "@timestamp": "2015-05-10T18:02:14.000Z", @@ -41,6 +44,9 @@ "fileset.name": "vpcflow", "input.type": "log", "log.offset": 82, - "service.type": "aws" + "service.type": "aws", + "tags": [ + "cloud" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json index cb24fd34183..d65139843f3 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json @@ -55,6 +55,9 @@ "source.geo.region_name": "Leinster", "source.ip": "52.213.180.42", "source.packets": 8, - "source.port": 43416 + "source.port": 43416, + "tags": [ + "cloud" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml index 9b747e1092d..247c34aed4c 100644 --- a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml @@ -5,3 +5,6 @@ consumer_group: {{ .consumer_group }} storage_account: {{ .storage_account }} storage_account_key: {{ .storage_account_key }} resource_manager_endpoint: {{ .resource_manager_endpoint }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} + diff --git a/x-pack/filebeat/module/azure/activitylogs/config/file.yml b/x-pack/filebeat/module/azure/activitylogs/config/file.yml index 8e366e70c17..bfef9c90eec 100644 --- a/x-pack/filebeat/module/azure/activitylogs/config/file.yml +++ b/x-pack/filebeat/module/azure/activitylogs/config/file.yml @@ -4,3 +4,5 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} diff --git a/x-pack/filebeat/module/azure/activitylogs/manifest.yml b/x-pack/filebeat/module/azure/activitylogs/manifest.yml index 4d5c20a7271..982b2d40595 100644 --- a/x-pack/filebeat/module/azure/activitylogs/manifest.yml +++ b/x-pack/filebeat/module/azure/activitylogs/manifest.yml @@ -11,6 +11,8 @@ var: - name: storage_account - name: storage_account_key - name: resource_manager_endpoint + - name: tags + default: [cloud] ingest_pipeline: - ingest/pipeline.json diff --git a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json index 51e34f7fd43..38be6a968ca 100644 --- a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json +++ b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json @@ -48,6 +48,9 @@ "log.level": "Information", "log.offset": 0, "service.type": "azure", - "source.ip": "51.251.141.41" + "source.ip": "51.251.141.41", + "tags": [ + "cloud" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml index 3c2ea50cf8b..9019789e590 100644 --- a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml @@ -5,4 +5,5 @@ consumer_group: {{ .consumer_group }} storage_account: {{ .storage_account }} storage_account_key: {{ .storage_account_key }} resource_manager_endpoint: {{ .resource_manager_endpoint }} - +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} diff --git a/x-pack/filebeat/module/azure/auditlogs/config/file.yml b/x-pack/filebeat/module/azure/auditlogs/config/file.yml index 8e366e70c17..bfef9c90eec 100644 --- a/x-pack/filebeat/module/azure/auditlogs/config/file.yml +++ b/x-pack/filebeat/module/azure/auditlogs/config/file.yml @@ -4,3 +4,5 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} diff --git a/x-pack/filebeat/module/azure/auditlogs/manifest.yml b/x-pack/filebeat/module/azure/auditlogs/manifest.yml index 095371bff16..3baccad14c8 100644 --- a/x-pack/filebeat/module/azure/auditlogs/manifest.yml +++ b/x-pack/filebeat/module/azure/auditlogs/manifest.yml @@ -11,6 +11,8 @@ var: - name: storage_account - name: storage_account_key - name: resource_manager_endpoint + - name: tags + default: [cloud] ingest_pipeline: - ingest/pipeline.json diff --git a/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json b/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json index b1d6a668be6..5323662c8fb 100644 --- a/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json @@ -37,6 +37,9 @@ "input.type": "log", "log.level": "Informational", "log.offset": 0, - "service.type": "azure" + "service.type": "azure", + "tags": [ + "cloud" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml index 9b747e1092d..9019789e590 100644 --- a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml @@ -5,3 +5,5 @@ consumer_group: {{ .consumer_group }} storage_account: {{ .storage_account }} storage_account_key: {{ .storage_account_key }} resource_manager_endpoint: {{ .resource_manager_endpoint }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} diff --git a/x-pack/filebeat/module/azure/signinlogs/config/file.yml b/x-pack/filebeat/module/azure/signinlogs/config/file.yml index 8e366e70c17..bfef9c90eec 100644 --- a/x-pack/filebeat/module/azure/signinlogs/config/file.yml +++ b/x-pack/filebeat/module/azure/signinlogs/config/file.yml @@ -4,3 +4,5 @@ paths: - {{$path}} {{ end }} exclude_files: [".gz$"] +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} diff --git a/x-pack/filebeat/module/azure/signinlogs/manifest.yml b/x-pack/filebeat/module/azure/signinlogs/manifest.yml index 97fddae51e9..67079219fe4 100644 --- a/x-pack/filebeat/module/azure/signinlogs/manifest.yml +++ b/x-pack/filebeat/module/azure/signinlogs/manifest.yml @@ -11,6 +11,8 @@ var: - name: storage_account - name: storage_account_key - name: resource_manager_endpoint + - name: tags + default: [cloud] ingest_pipeline: - ingest/pipeline.json diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json index 6c9aea80c36..c7a59cf056d 100644 --- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json @@ -52,6 +52,9 @@ "log.offset": 0, "message": "This error occurred due to 'Keep me signed in' interrupt when the user was signing-in.", "service.type": "azure", - "source.ip": "81.171.241.231" + "source.ip": "81.171.241.231", + "tags": [ + "cloud" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cef/_meta/docs.asciidoc b/x-pack/filebeat/module/cef/_meta/docs.asciidoc index 00d2ab1e791..365a07b933a 100644 --- a/x-pack/filebeat/module/cef/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/cef/_meta/docs.asciidoc @@ -35,6 +35,12 @@ The UDP port to listen for syslog traffic. Defaults to `9003` NOTE: Ports below 1024 require Filebeat to run as root. +*`var.tags`*:: + +A list of tags to include in events. Including `forwarded` indicates that the +events did not originate on this host and causes `host.name` to not be added to +events. Defaults to `[cef, forwarded]`. + [float] ==== Forcepoint NGFW Security Management Center diff --git a/x-pack/filebeat/module/cef/log/config/input.yml b/x-pack/filebeat/module/cef/log/config/input.yml index cf5bde45c89..49a2b1829be 100644 --- a/x-pack/filebeat/module/cef/log/config/input.yml +++ b/x-pack/filebeat/module/cef/log/config/input.yml @@ -15,7 +15,8 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - rename: diff --git a/x-pack/filebeat/module/cef/log/manifest.yml b/x-pack/filebeat/module/cef/log/manifest.yml index 60115d99b40..777ac5010be 100644 --- a/x-pack/filebeat/module/cef/log/manifest.yml +++ b/x-pack/filebeat/module/cef/log/manifest.yml @@ -5,7 +5,7 @@ var: default: - /var/log/cef.log - name: tags - default: [cef] + default: [cef, forwarded] - name: syslog_host default: localhost - name: syslog_port diff --git a/x-pack/filebeat/module/cef/log/test/cef.log-expected.json b/x-pack/filebeat/module/cef/log/test/cef.log-expected.json index 99b9348a741..ca0127defbd 100644 --- a/x-pack/filebeat/module/cef/log/test/cef.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/cef.log-expected.json @@ -51,7 +51,8 @@ "source.port": 33876, "source.service.name": "httpd", "tags": [ - "cef" + "cef", + "forwarded" ], "url.original": "https://www.example.com/cart" }, @@ -119,7 +120,8 @@ "source.port": 33876, "source.user.name": "bob", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -148,7 +150,8 @@ "service.type": "cef", "source.user.group.name": "user", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -182,7 +185,8 @@ "service.type": "cef", "source.ip": "192.168.3.4", "tags": [ - "cef" + "cef", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json index 1dce9c9aae7..8d027229032 100644 --- a/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/checkpoint.log-expected.json @@ -90,7 +90,8 @@ "source.nat.port": 35398, "source.port": 49363, "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -139,7 +140,8 @@ "service.type": "cef", "source.port": 4001, "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -191,7 +193,8 @@ "service.type": "cef", "source.ip": "fd00::555", "tags": [ - "cef" + "cef", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json index be322967983..70ef4f7776f 100644 --- a/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json +++ b/x-pack/filebeat/module/cef/log/test/fp-ngfw-smc.log-expected.json @@ -29,7 +29,8 @@ "observer.version": "6.6.1", "service.type": "cef", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -62,7 +63,8 @@ "observer.version": "6.6.1", "service.type": "cef", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -114,7 +116,8 @@ "service.type": "cef", "source.ip": "10.37.205.252", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -167,7 +170,8 @@ "source.ip": "172.16.1.1", "source.port": 68, "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -218,7 +222,8 @@ "service.type": "cef", "source.ip": "172.16.1.1", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -266,7 +271,8 @@ "source.bytes": 32526, "source.user.name": "alice", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -308,7 +314,8 @@ "source.ip": "192.168.1.1", "source.user.name": "bob", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -350,7 +357,8 @@ "source.ip": "192.168.1.1", "source.user.name": "bob", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -392,7 +400,8 @@ "source.ip": "172.16.2.1", "source.user.name": "alice", "tags": [ - "cef" + "cef", + "forwarded" ] }, { @@ -425,7 +434,8 @@ "observer.version": "6.6.1", "service.type": "cef", "tags": [ - "cef" + "cef", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/googlecloud/audit/config/input.yml b/x-pack/filebeat/module/googlecloud/audit/config/input.yml index 04c746177f8..fe18acbcb5e 100644 --- a/x-pack/filebeat/module/googlecloud/audit/config/input.yml +++ b/x-pack/filebeat/module/googlecloud/audit/config/input.yml @@ -21,6 +21,8 @@ paths: exclude_files: [".gz$"] {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} processors: - script: diff --git a/x-pack/filebeat/module/googlecloud/audit/manifest.yml b/x-pack/filebeat/module/googlecloud/audit/manifest.yml index 347d8eaa1cb..70bac9b4d61 100644 --- a/x-pack/filebeat/module/googlecloud/audit/manifest.yml +++ b/x-pack/filebeat/module/googlecloud/audit/manifest.yml @@ -13,6 +13,9 @@ var: - name: credentials_json - name: keep_original_message default: false + - name: tags + default: [cloud] + ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json index cf665ca41d1..335c983e4a2 100644 --- a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json @@ -31,6 +31,9 @@ "service.name": "cloudbilling.googleapis.com", "service.type": "googlecloud", "source.ip": "192.168.1.1", + "tags": [ + "cloud" + ], "user.email": "xxx@xxx.xxx" }, { @@ -72,6 +75,9 @@ "service.name": "compute.googleapis.com", "service.type": "googlecloud", "source.ip": "192.168.1.1", + "tags": [ + "cloud" + ], "user.email": "xxx@xxx.xxx", "user_agent.device.name": "Other", "user_agent.name": "Firefox", @@ -120,6 +126,9 @@ "service.name": "compute.googleapis.com", "service.type": "googlecloud", "source.ip": "192.168.1.1", + "tags": [ + "cloud" + ], "user.email": "xxx@xxx.xxx", "user_agent.device.name": "Other", "user_agent.name": "Firefox", @@ -169,6 +178,9 @@ "service.name": "compute.googleapis.com", "service.type": "googlecloud", "source.ip": "192.168.1.1", + "tags": [ + "cloud" + ], "user.email": "xxx@xxx.xxx", "user_agent.device.name": "Other", "user_agent.name": "Firefox", diff --git a/x-pack/filebeat/module/googlecloud/firewall/config/input.yml b/x-pack/filebeat/module/googlecloud/firewall/config/input.yml index 779e7a0bff1..fa76e021540 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/config/input.yml +++ b/x-pack/filebeat/module/googlecloud/firewall/config/input.yml @@ -21,6 +21,8 @@ paths: exclude_files: [".gz$"] {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} processors: - script: diff --git a/x-pack/filebeat/module/googlecloud/firewall/manifest.yml b/x-pack/filebeat/module/googlecloud/firewall/manifest.yml index 53e4c5dc69d..69a04bc10ef 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/manifest.yml +++ b/x-pack/filebeat/module/googlecloud/firewall/manifest.yml @@ -15,6 +15,9 @@ var: default: false - name: keep_original_message default: false + - name: tags + default: [cloud] + ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/googlecloud/firewall/test/rare.log-expected.json b/x-pack/filebeat/module/googlecloud/firewall/test/rare.log-expected.json index c109a99ac29..79b71b64a43 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/test/rare.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/firewall/test/rare.log-expected.json @@ -61,7 +61,10 @@ "source.address": "10.142.0.10", "source.domain": "test-es", "source.ip": "10.142.0.10", - "source.port": 57794 + "source.port": 57794, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-06T16:41:38.394Z", @@ -125,6 +128,9 @@ "source.address": "10.142.0.16", "source.domain": "local-adrian-test", "source.ip": "10.142.0.16", - "source.port": 80 + "source.port": 80, + "tags": [ + "cloud" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json b/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json index 161bf3dbfdb..c4c332f2f5a 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json @@ -59,7 +59,10 @@ "source.address": "10.128.0.16", "source.domain": "adrian-test", "source.ip": "10.128.0.16", - "source.port": 60094 + "source.port": 60094, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-10-30T13:52:42.191Z", @@ -120,7 +123,10 @@ "source.geo.continent_name": "Asia", "source.geo.country_name": "omn", "source.ip": "192.0.2.126", - "source.port": 64853 + "source.port": 64853, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-11T12:31:19.421Z", @@ -184,7 +190,10 @@ "source.geo.country_name": "rus", "source.geo.region_name": "Krasnodar Krai", "source.ip": "192.0.2.219", - "source.port": 2897 + "source.port": 2897, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-11T12:41:31.079Z", @@ -246,7 +255,10 @@ "source.geo.continent_name": "Europe", "source.geo.country_name": "deu", "source.ip": "192.0.2.14", - "source.port": 61000 + "source.port": 61000, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-11T12:41:34.190Z", @@ -308,7 +320,10 @@ "source.geo.continent_name": "Europe", "source.geo.country_name": "deu", "source.ip": "192.0.2.14", - "source.port": 61000 + "source.port": 61000, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-11T12:48:41.449Z", @@ -372,7 +387,10 @@ "source.geo.country_name": "ukr", "source.geo.region_name": "Zhytomyr Oblast", "source.ip": "192.0.2.151", - "source.port": 62551 + "source.port": 62551, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-11T13:10:24.214Z", @@ -436,7 +454,10 @@ "source.geo.country_name": "ita", "source.geo.region_name": "Veneto", "source.ip": "192.0.2.241", - "source.port": 44542 + "source.port": 44542, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-11T13:35:23.504Z", @@ -500,7 +521,10 @@ "source.geo.country_name": "rus", "source.geo.region_name": "Tula Oblast", "source.ip": "192.0.2.114", - "source.port": 41293 + "source.port": 41293, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-11T13:36:52.135Z", @@ -564,7 +588,10 @@ "source.geo.country_name": "rus", "source.geo.region_name": "Stavropol Krai", "source.ip": "192.0.2.251", - "source.port": 59106 + "source.port": 59106, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-11T14:06:16.593Z", @@ -628,7 +655,10 @@ "source.geo.country_name": "fra", "source.geo.region_name": "Provence-Alpes-C\u00f4te d'Azur", "source.ip": "192.0.2.189", - "source.port": 61000 + "source.port": 61000, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-11T14:06:22.930Z", @@ -692,7 +722,10 @@ "source.geo.country_name": "fra", "source.geo.region_name": "Provence-Alpes-C\u00f4te d'Azur", "source.ip": "192.0.2.189", - "source.port": 61000 + "source.port": 61000, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-11T14:32:07.407Z", @@ -756,7 +789,10 @@ "source.geo.country_name": "tur", "source.geo.region_name": "\u0130zmir", "source.ip": "192.0.2.200", - "source.port": 42716 + "source.port": 42716, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-12T12:41:20.972Z", @@ -818,7 +854,10 @@ "source.address": "10.28.0.16", "source.domain": "adrian-test", "source.ip": "10.28.0.16", - "source.port": 46418 + "source.port": 46418, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-12T12:42:26.505Z", @@ -880,7 +919,10 @@ "source.address": "10.28.0.16", "source.domain": "adrian-test", "source.ip": "10.28.0.16", - "source.port": 58725 + "source.port": 58725, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-11T12:54:13.531Z", @@ -948,7 +990,10 @@ "source.geo.continent_name": "America", "source.geo.country_name": "usa", "source.ip": "192.0.2.114", - "source.port": 44666 + "source.port": 44666, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-11T12:54:13.551Z", @@ -1016,7 +1061,10 @@ "source.geo.continent_name": "America", "source.geo.country_name": "usa", "source.ip": "192.0.2.114", - "source.port": 44668 + "source.port": 44668, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-11T12:54:15.771Z", @@ -1079,7 +1127,10 @@ "source.geo.country_name": "nld", "source.geo.region_name": "Overijssel", "source.ip": "192.0.2.7", - "source.port": 1683 + "source.port": 1683, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-11T12:54:35.850Z", @@ -1147,7 +1198,10 @@ "source.geo.continent_name": "America", "source.geo.country_name": "usa", "source.ip": "192.0.2.114", - "source.port": 45068 + "source.port": 45068, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-11T12:54:35.850Z", @@ -1215,7 +1269,10 @@ "source.geo.continent_name": "America", "source.geo.country_name": "usa", "source.ip": "192.0.2.114", - "source.port": 45062 + "source.port": 45062, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-11-06T16:41:38.394Z", @@ -1282,6 +1339,9 @@ "source.address": "10.42.0.10", "source.domain": "test-es", "source.ip": "10.42.0.10", - "source.port": 57794 + "source.port": 57794, + "tags": [ + "cloud" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/googlecloud/vpcflow/config/input.yml b/x-pack/filebeat/module/googlecloud/vpcflow/config/input.yml index 010ec42bc35..58a9fd2b3d9 100644 --- a/x-pack/filebeat/module/googlecloud/vpcflow/config/input.yml +++ b/x-pack/filebeat/module/googlecloud/vpcflow/config/input.yml @@ -21,6 +21,8 @@ paths: exclude_files: [".gz$"] {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} processors: - script: diff --git a/x-pack/filebeat/module/googlecloud/vpcflow/manifest.yml b/x-pack/filebeat/module/googlecloud/vpcflow/manifest.yml index 6c2ec7c1da3..85031435e77 100644 --- a/x-pack/filebeat/module/googlecloud/vpcflow/manifest.yml +++ b/x-pack/filebeat/module/googlecloud/vpcflow/manifest.yml @@ -13,6 +13,9 @@ var: - name: credentials_json - name: keep_original_message default: false + - name: tags + default: [cloud] + ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/googlecloud/vpcflow/test/vpc-flow-log-entries.json.log-expected.json b/x-pack/filebeat/module/googlecloud/vpcflow/test/vpc-flow-log-entries.json.log-expected.json index 203a89dcd2e..dbaa9edd43d 100644 --- a/x-pack/filebeat/module/googlecloud/vpcflow/test/vpc-flow-log-entries.json.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/vpcflow/test/vpc-flow-log-entries.json.log-expected.json @@ -48,7 +48,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -106,7 +109,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 68, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -164,7 +170,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 78, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -216,7 +225,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 1, - "source.port": 22 + "source.port": 22, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -267,7 +279,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -318,7 +333,10 @@ "source.geo.country_name": "usa", "source.ip": "192.0.2.117", "source.packets": 7, - "source.port": 50646 + "source.port": 50646, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -376,7 +394,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 251, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -434,7 +455,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 92, - "source.port": 33880 + "source.port": 33880, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -492,7 +516,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 247, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -550,7 +577,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 63, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -602,7 +632,10 @@ "source.geo.region_name": "Saint Petersburg", "source.ip": "192.0.2.23", "source.packets": 3, - "source.port": 59679 + "source.port": 59679, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -660,7 +693,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 94, - "source.port": 33576 + "source.port": 33576, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -718,7 +754,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 356, - "source.port": 33562 + "source.port": 33562, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -776,7 +815,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 361, - "source.port": 33692 + "source.port": 33692, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -834,7 +876,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 360, - "source.port": 33542 + "source.port": 33542, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -892,7 +937,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 99, - "source.port": 33970 + "source.port": 33970, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -940,7 +988,10 @@ "source.bytes": 34509840, "source.ip": "203.0.113.93", "source.packets": 8690, - "source.port": 9243 + "source.port": 9243, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -991,7 +1042,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.12", "source.packets": 7, - "source.port": 34836 + "source.port": 34836, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1049,7 +1103,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 367, - "source.port": 33554 + "source.port": 33554, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1102,7 +1159,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 608, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1160,7 +1220,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 258, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1208,7 +1271,10 @@ "source.domain": "simianhacker-demo", "source.ip": "10.49.136.133", "source.packets": 44438, - "source.port": 46864 + "source.port": 46864, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1259,7 +1325,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.12", "source.packets": 7, - "source.port": 33478 + "source.port": 33478, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1317,7 +1386,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 241, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1370,7 +1442,10 @@ "source.geo.region_name": "Colorado", "source.ip": "203.0.113.58", "source.packets": 732, - "source.port": 65320 + "source.port": 65320, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1428,7 +1503,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 246, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1486,7 +1564,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 340, - "source.port": 33548 + "source.port": 33548, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:10.845Z", @@ -1537,7 +1618,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -1590,7 +1674,10 @@ "source.geo.region_name": "Vinh Phuc Province", "source.ip": "192.0.2.165", "source.packets": 18, - "source.port": 59623 + "source.port": 59623, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -1648,7 +1735,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 363, - "source.port": 33552 + "source.port": 33552, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -1699,7 +1789,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.107", "source.packets": 7, - "source.port": 33924 + "source.port": 33924, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -1757,7 +1850,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 260, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -1815,7 +1911,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 265, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -1868,7 +1967,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 607, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -1926,7 +2028,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 356, - "source.port": 33534 + "source.port": 33534, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -1984,7 +2089,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 735, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2035,7 +2143,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2088,7 +2199,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 594, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2146,7 +2260,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 58, - "source.port": 33524 + "source.port": 33524, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2204,7 +2321,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 130, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2262,7 +2382,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 250, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2320,7 +2443,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 37, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2378,7 +2504,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 237, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2436,7 +2565,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 353, - "source.port": 33694 + "source.port": 33694, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2487,7 +2619,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2540,7 +2675,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 605, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2591,7 +2729,10 @@ "source.geo.country_name": "usa", "source.ip": "192.0.2.117", "source.packets": 7, - "source.port": 33862 + "source.port": 33862, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2644,7 +2785,10 @@ "source.geo.region_name": "Colorado", "source.ip": "203.0.113.58", "source.packets": 737, - "source.port": 65321 + "source.port": 65321, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2697,7 +2841,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 600, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2755,7 +2902,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.101", "source.packets": 949, - "source.port": 49680 + "source.port": 49680, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2813,7 +2963,10 @@ "source.geo.country_name": "usa", "source.ip": "192.0.2.177", "source.packets": 227, - "source.port": 60112 + "source.port": 60112, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2871,7 +3024,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 270, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2924,7 +3080,10 @@ "source.geo.region_name": "Colorado", "source.ip": "203.0.113.58", "source.packets": 709, - "source.port": 65316 + "source.port": 65316, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -2977,7 +3136,10 @@ "source.geo.region_name": "Colorado", "source.ip": "203.0.113.58", "source.packets": 728, - "source.port": 65263 + "source.port": 65263, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -3028,7 +3190,10 @@ "source.geo.country_name": "usa", "source.ip": "192.0.2.117", "source.packets": 7, - "source.port": 50438 + "source.port": 50438, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -3079,7 +3244,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -3132,7 +3300,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 11, - "source.port": 22 + "source.port": 22, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -3190,7 +3361,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 353, - "source.port": 33558 + "source.port": 33558, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -3248,7 +3422,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 354, - "source.port": 33548 + "source.port": 33548, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:11.981Z", @@ -3301,7 +3478,10 @@ "source.geo.region_name": "Colorado", "source.ip": "203.0.113.58", "source.packets": 717, - "source.port": 65271 + "source.port": 65271, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3352,7 +3532,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.12", "source.packets": 7, - "source.port": 34178 + "source.port": 34178, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3403,7 +3586,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.107", "source.packets": 7, - "source.port": 33602 + "source.port": 33602, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3461,7 +3647,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 366, - "source.port": 33554 + "source.port": 33554, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3512,7 +3701,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3563,7 +3755,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.27", "source.packets": 7, - "source.port": 52454 + "source.port": 52454, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3621,7 +3816,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 251, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3672,7 +3870,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3730,7 +3931,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 361, - "source.port": 33530 + "source.port": 33530, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3788,7 +3992,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 366, - "source.port": 33556 + "source.port": 33556, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3846,7 +4053,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 86, - "source.port": 33570 + "source.port": 33570, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3904,7 +4114,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 247, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -3955,7 +4168,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4013,7 +4229,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 118, - "source.port": 33858 + "source.port": 33858, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4064,7 +4283,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.107", "source.packets": 7, - "source.port": 33064 + "source.port": 33064, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4122,7 +4344,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 251, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4173,7 +4398,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.27", "source.packets": 7, - "source.port": 53706 + "source.port": 53706, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4224,7 +4452,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.27", "source.packets": 7, - "source.port": 52260 + "source.port": 52260, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4275,7 +4506,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4326,7 +4560,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4377,7 +4614,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4428,7 +4668,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.107", "source.packets": 7, - "source.port": 34906 + "source.port": 34906, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4479,7 +4722,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4537,7 +4783,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 361, - "source.port": 33534 + "source.port": 33534, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4595,7 +4844,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 358, - "source.port": 33510 + "source.port": 33510, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4646,7 +4898,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.12", "source.packets": 7, - "source.port": 58216 + "source.port": 58216, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4704,7 +4959,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 243, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4755,7 +5013,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4806,7 +5067,10 @@ "source.domain": "kibana", "source.ip": "10.87.40.76", "source.packets": 7, - "source.port": 5601 + "source.port": 5601, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4857,7 +5121,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.27", "source.packets": 7, - "source.port": 34090 + "source.port": 34090, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4915,7 +5182,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 246, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -4973,7 +5243,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 71, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:13.921Z", @@ -5031,7 +5304,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 75, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:16.453Z", @@ -5089,7 +5365,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 249, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:16.453Z", @@ -5147,7 +5426,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 357, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:16.453Z", @@ -5205,7 +5487,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 242, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:16.453Z", @@ -5263,7 +5548,10 @@ "source.geo.country_name": "usa", "source.ip": "198.51.100.248", "source.packets": 244, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:16.453Z", @@ -5321,7 +5609,10 @@ "source.geo.country_name": "usa", "source.ip": "192.0.2.177", "source.packets": 708, - "source.port": 60108 + "source.port": 60108, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:16.453Z", @@ -5379,7 +5670,10 @@ "source.domain": "elasticsearch", "source.ip": "10.139.99.242", "source.packets": 74, - "source.port": 9200 + "source.port": 9200, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:16.453Z", @@ -5437,7 +5731,10 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 95, - "source.port": 33968 + "source.port": 33968, + "tags": [ + "cloud" + ] }, { "@timestamp": "2019-06-14T03:50:16.453Z", @@ -5495,6 +5792,9 @@ "source.geo.country_name": "usa", "source.ip": "203.0.113.134", "source.packets": 351, - "source.port": 33590 + "source.port": 33590, + "tags": [ + "cloud" + ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/config/input.yml b/x-pack/filebeat/module/o365/audit/config/input.yml index 71e9c9c59f3..a08a7206207 100644 --- a/x-pack/filebeat/module/o365/audit/config/input.yml +++ b/x-pack/filebeat/module/o365/audit/config/input.yml @@ -36,6 +36,8 @@ exclude_files: [".gz$"] json.add_error_key: true {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} processors: {{ if eq .input "file" }} diff --git a/x-pack/filebeat/module/o365/audit/manifest.yml b/x-pack/filebeat/module/o365/audit/manifest.yml index a00b9626619..f84a6dcccb1 100644 --- a/x-pack/filebeat/module/o365/audit/manifest.yml +++ b/x-pack/filebeat/module/o365/audit/manifest.yml @@ -11,6 +11,9 @@ var: - name: tenants - name: content_type - name: api + - name: tags + default: [cloud] + ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log-expected.json b/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log-expected.json index 43ed055dad6..327943f8d56 100644 --- a/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log-expected.json @@ -38,6 +38,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -92,6 +95,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -146,6 +152,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -187,6 +196,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -228,6 +240,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -270,6 +285,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -313,6 +331,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -354,6 +375,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -408,6 +432,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -462,6 +489,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -504,6 +534,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -558,6 +591,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -612,6 +648,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -666,6 +705,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -720,6 +762,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -774,6 +819,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -828,6 +876,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -869,6 +920,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -911,6 +965,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -953,6 +1010,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -994,6 +1054,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1036,6 +1099,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1090,6 +1156,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1144,6 +1213,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1198,6 +1270,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1252,6 +1327,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1306,6 +1384,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1360,6 +1441,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1414,6 +1498,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1468,6 +1555,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1524,6 +1614,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1578,6 +1671,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1632,6 +1728,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1686,6 +1785,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1740,6 +1842,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1794,6 +1899,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1848,6 +1956,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1902,6 +2013,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -1956,6 +2070,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2010,6 +2127,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2061,6 +2181,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2104,6 +2227,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2146,6 +2272,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2188,6 +2317,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2230,6 +2362,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2286,6 +2421,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2340,6 +2478,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2394,6 +2535,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2448,6 +2592,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2502,6 +2649,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2556,6 +2706,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2610,6 +2763,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2664,6 +2820,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2718,6 +2877,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2772,6 +2934,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2826,6 +2991,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2880,6 +3048,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2923,6 +3094,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -2966,6 +3140,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3020,6 +3197,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3074,6 +3254,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3117,6 +3300,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3158,6 +3344,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3214,6 +3403,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3268,6 +3460,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3322,6 +3517,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3376,6 +3574,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3430,6 +3631,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3484,6 +3688,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3538,6 +3745,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3592,6 +3802,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3634,6 +3847,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3677,6 +3893,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3719,6 +3938,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3762,6 +3984,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3803,6 +4028,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3846,6 +4074,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3887,6 +4118,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3930,6 +4164,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -3984,6 +4221,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4038,6 +4278,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4092,6 +4335,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4146,6 +4392,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4200,6 +4449,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4254,6 +4506,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4308,6 +4563,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4362,6 +4620,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4405,6 +4666,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4459,6 +4723,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4513,6 +4780,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4555,6 +4825,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4609,6 +4882,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4650,6 +4926,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4693,6 +4972,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4744,6 +5026,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4798,6 +5083,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4841,6 +5129,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4895,6 +5186,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -4951,6 +5245,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, { @@ -5005,6 +5302,9 @@ "organization.name": "testsiem.onmicrosoft.com", "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log-expected.json b/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log-expected.json index 525e9dcf362..ae26e209044 100644 --- a/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log-expected.json @@ -55,6 +55,9 @@ "server.address": "AM6PR01MB4535 (15.20.2729.032)\n", "service.type": "o365", "source.ip": "::1", + "tags": [ + "cloud" + ], "user.email": "SIEMTest@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" }, @@ -114,6 +117,9 @@ "server.address": "DB3PR0102MB3500 (15.20.2729.032)\n", "service.type": "o365", "source.ip": "::1", + "tags": [ + "cloud" + ], "user.email": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" }, @@ -173,6 +179,9 @@ "server.address": "DB7PR01MB4428 (15.20.2707.031)\n", "service.type": "o365", "source.ip": "::1", + "tags": [ + "cloud" + ], "user.email": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" }, @@ -232,6 +241,9 @@ "server.address": "DB3PR0102MB3500 (15.20.2729.032)", "service.type": "o365", "source.ip": "::1", + "tags": [ + "cloud" + ], "user.email": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" }, @@ -291,6 +303,9 @@ "server.address": "DB7PR01MB4428 (15.20.2707.031)\n", "service.type": "o365", "source.ip": "::1", + "tags": [ + "cloud" + ], "user.email": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" }, @@ -350,6 +365,9 @@ "server.address": "DB7PR01MB4428 (15.20.2707.031)\n", "service.type": "o365", "source.ip": "::1", + "tags": [ + "cloud" + ], "user.email": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" }, @@ -409,6 +427,9 @@ "server.address": "DB3PR0102MB3500 (15.20.2729.032)\n", "service.type": "o365", "source.ip": "::1", + "tags": [ + "cloud" + ], "user.email": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" }, @@ -468,6 +489,9 @@ "server.address": "AM6PR01MB4535 (15.20.2729.032)\n", "service.type": "o365", "source.ip": "::1", + "tags": [ + "cloud" + ], "user.email": "SIEMTest@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" }, @@ -527,6 +551,9 @@ "server.address": "AM6PR01MB4535 (15.20.2729.032)\n", "service.type": "o365", "source.ip": "::1", + "tags": [ + "cloud" + ], "user.email": "SIEMTest@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" } diff --git a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json index 93b5869d874..eb41d5da049 100644 --- a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json @@ -52,6 +52,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -116,6 +119,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -180,6 +186,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -244,6 +253,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", diff --git a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json index feaff17cf4c..4b6f4d6d4b4 100644 --- a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json @@ -59,6 +59,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -131,6 +134,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -203,6 +209,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -275,6 +284,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -348,6 +360,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -420,6 +435,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -492,6 +510,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -565,6 +586,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -637,6 +661,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -709,6 +736,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -781,6 +811,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", diff --git a/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json index 8c4c7233407..f865e0c149d 100644 --- a/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json @@ -134,6 +134,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -273,6 +276,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -412,6 +418,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -562,6 +571,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -712,6 +724,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -869,6 +884,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -1026,6 +1044,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -1183,6 +1204,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -1340,6 +1364,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -1497,6 +1524,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -1654,6 +1684,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -1811,6 +1844,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -1968,6 +2004,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -2125,6 +2164,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -2282,6 +2324,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -2439,6 +2484,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -2596,6 +2644,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -2753,6 +2804,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -2892,6 +2946,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -3031,6 +3088,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -3181,6 +3241,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -3320,6 +3383,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -3459,6 +3525,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -3598,6 +3667,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -3748,6 +3820,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -3905,6 +3980,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -4062,6 +4140,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -4219,6 +4300,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -4376,6 +4460,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -4533,6 +4620,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -4690,6 +4780,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -4847,6 +4940,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -5004,6 +5100,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -5162,6 +5261,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -5320,6 +5422,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -5445,6 +5550,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "fim_password_service", "service.type": "o365", + "tags": [ + "cloud" + ], "user.domain": "support.onmicrosoft.com", "user.id": "fim_password_service@support.onmicrosoft.com", "user.name": "fim_password_service" @@ -5602,6 +5710,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -5759,6 +5870,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -5916,6 +6030,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -6073,6 +6190,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -6230,6 +6350,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -6387,6 +6510,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -6544,6 +6670,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -6701,6 +6830,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -6858,6 +6990,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -7015,6 +7150,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -7172,6 +7310,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -7329,6 +7470,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -7486,6 +7630,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -7643,6 +7790,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -7800,6 +7950,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -7958,6 +8111,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -8116,6 +8272,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -8273,6 +8432,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -8430,6 +8592,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -8587,6 +8752,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -8744,6 +8912,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -8901,6 +9072,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -9058,6 +9232,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -9215,6 +9392,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -9372,6 +9552,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -9529,6 +9712,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -9668,6 +9854,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -9807,6 +9996,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -9946,6 +10138,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -10085,6 +10280,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -10234,6 +10432,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -10384,6 +10585,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -10534,6 +10738,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -10684,6 +10891,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -10834,6 +11044,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -10971,6 +11184,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -11110,6 +11326,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -11249,6 +11468,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -11399,6 +11621,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -11549,6 +11774,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -11699,6 +11927,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -11838,6 +12069,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -11977,6 +12211,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -12116,6 +12353,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -12266,6 +12506,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -12416,6 +12659,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -12566,6 +12812,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -12723,6 +12972,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -12880,6 +13132,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -13037,6 +13292,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -13194,6 +13452,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -13351,6 +13612,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -13508,6 +13772,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -13665,6 +13932,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -13822,6 +14092,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -13979,6 +14252,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -14136,6 +14412,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -14293,6 +14572,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -14451,6 +14733,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -14609,6 +14894,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -14767,6 +15055,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -14922,6 +15213,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -15077,6 +15371,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -15232,6 +15529,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" diff --git a/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log-expected.json b/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log-expected.json index 8d1e8e5a328..107a64853a5 100644 --- a/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log-expected.json @@ -76,6 +76,9 @@ "rule.id": "c5981414-9f1f-4275-a2df-2fbfb1d03795", "rule.name": "Low volume of content detected U.S. Financial", "service.type": "o365", + "tags": [ + "cloud" + ], "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx", "user.domain": "TESTSIEM2.ONMICROSOFT.COM", "user.id": "ASR@TESTSIEM2.ONMICROSOFT.COM", @@ -167,6 +170,9 @@ "rule.id": "7503b92a-67c2-494b-8a46-57ef0d738886", "rule.name": "High volume of content detected U.S. Financial", "service.type": "o365", + "tags": [ + "cloud" + ], "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx", "user.domain": "TESTSIEM2.ONMICROSOFT.COM", "user.id": "ASR@TESTSIEM2.ONMICROSOFT.COM", @@ -254,6 +260,9 @@ "rule.id": "c5981414-9f1f-4275-a2df-2fbfb1d03795", "rule.name": "Low volume of content detected U.S. Financial", "service.type": "o365", + "tags": [ + "cloud" + ], "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx", "user.domain": "TESTSIEM2.ONMICROSOFT.COM", "user.id": "ASR@TESTSIEM2.ONMICROSOFT.COM", @@ -345,6 +354,9 @@ "rule.id": "7503b92a-67c2-494b-8a46-57ef0d738886", "rule.name": "High volume of content detected U.S. Financial", "service.type": "o365", + "tags": [ + "cloud" + ], "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx", "user.domain": "TESTSIEM2.ONMICROSOFT.COM", "user.id": "ASR@TESTSIEM2.ONMICROSOFT.COM", @@ -436,6 +448,9 @@ "rule.id": "bc4d376f-b038-4695-9362-609d32f963cf", "rule.name": "High volume of content detected France Financial", "service.type": "o365", + "tags": [ + "cloud" + ], "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/INTERNAL%20CREDIT%20CARD%20NUMBERS.docx", "user.domain": "TESTSIEM2.ONMICROSOFT.COM", "user.id": "ASR@TESTSIEM2.ONMICROSOFT.COM", @@ -527,6 +542,9 @@ "rule.id": "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd", "rule.name": "Low volume of content detected France Financial", "service.type": "o365", + "tags": [ + "cloud" + ], "url.original": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx", "user.domain": "testsiem2.onmicrosoft.com", "user.id": "alice@testsiem2.onmicrosoft.com", @@ -618,6 +636,9 @@ "rule.id": "121c85c3-b2b2-4d5b-af11-b1d1bc0b36fd", "rule.name": "Low volume of content detected France Financial", "service.type": "o365", + "tags": [ + "cloud" + ], "url.original": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx", "user.domain": "testsiem2.onmicrosoft.com", "user.id": "alice@testsiem2.onmicrosoft.com", diff --git a/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json b/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json index 2a245f64168..d27f4cd73e4 100644 --- a/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json @@ -143,6 +143,9 @@ ], "service.type": "o365", "source.user.email": "asr@testsiem2.onmicrosoft.com", + "tags": [ + "cloud" + ], "user.id": "DlpAgent" }, { @@ -289,6 +292,9 @@ ], "service.type": "o365", "source.user.email": "asr@testsiem2.onmicrosoft.com", + "tags": [ + "cloud" + ], "user.id": "DlpAgent" }, { @@ -436,6 +442,9 @@ ], "service.type": "o365", "source.user.email": "asr@testsiem2.onmicrosoft.com", + "tags": [ + "cloud" + ], "user.id": "DlpAgent" }, { @@ -583,6 +592,9 @@ ], "service.type": "o365", "source.user.email": "asr@testsiem2.onmicrosoft.com", + "tags": [ + "cloud" + ], "user.id": "DlpAgent" }, { @@ -680,6 +692,9 @@ "rule.name": "Low volume of content detected test", "service.type": "o365", "source.user.email": "asr@testsiem2.onmicrosoft.com", + "tags": [ + "cloud" + ], "user.id": "DlpAgent" }, { @@ -772,6 +787,9 @@ "rule.id": "8398c03a-a00d-42bb-8f80-ead0ad04e1df", "rule.name": "Low volume of content detected test", "service.type": "o365", + "tags": [ + "cloud" + ], "url.original": "https://example.net/testsiem2.onmicrosoft.com/sharepoint", "user.domain": "testsiem2.onmicrosoft.com", "user.id": "alice@testsiem2.onmicrosoft.com", diff --git a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json index 399814ae9a0..56c34560fc8 100644 --- a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json @@ -39,6 +39,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "app", "service.type": "o365", + "tags": [ + "cloud" + ], "user.domain": "sharepoint", "user.id": "app@sharepoint", "user.name": "app", @@ -86,6 +89,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "app", "service.type": "o365", + "tags": [ + "cloud" + ], "user.domain": "sharepoint", "user.id": "app@sharepoint", "user.name": "app", @@ -133,6 +139,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "app", "service.type": "o365", + "tags": [ + "cloud" + ], "user.domain": "sharepoint", "user.id": "app@sharepoint", "user.name": "app", @@ -180,6 +189,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "app", "service.type": "o365", + "tags": [ + "cloud" + ], "user.domain": "sharepoint", "user.id": "app@sharepoint", "user.name": "app", @@ -227,6 +239,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "app", "service.type": "o365", + "tags": [ + "cloud" + ], "user.domain": "sharepoint", "user.id": "app@sharepoint", "user.name": "app", @@ -289,6 +304,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -359,6 +377,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -430,6 +451,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -501,6 +525,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -572,6 +599,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", diff --git a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json index 948359f11ca..12475b5e527 100644 --- a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json @@ -81,6 +81,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -174,6 +177,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -267,6 +273,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -360,6 +369,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -453,6 +465,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -546,6 +561,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -639,6 +657,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -732,6 +753,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -825,6 +849,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -918,6 +945,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1011,6 +1041,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1104,6 +1137,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1197,6 +1233,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1290,6 +1329,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1380,6 +1422,9 @@ "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1473,6 +1518,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1566,6 +1614,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1656,6 +1707,9 @@ "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1749,6 +1803,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1842,6 +1899,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -1935,6 +1995,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2028,6 +2091,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2121,6 +2187,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2214,6 +2283,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2307,6 +2379,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2400,6 +2475,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2493,6 +2571,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2586,6 +2667,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2679,6 +2763,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2771,6 +2858,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2865,6 +2955,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -2948,6 +3041,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.id": "Unknown", "user_agent.device.name": "Other", "user_agent.name": "Firefox", @@ -3039,6 +3135,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -3122,6 +3221,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.id": "Unknown", "user_agent.device.name": "Other", "user_agent.name": "Firefox", @@ -3214,6 +3316,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -3297,6 +3402,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.id": "Unknown", "user_agent.device.name": "Other", "user_agent.name": "Firefox", @@ -3389,6 +3497,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -3482,6 +3593,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -3575,6 +3689,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -3658,6 +3775,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.id": "Unknown", "user_agent.device.name": "Other", "user_agent.name": "Firefox", @@ -3750,6 +3870,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -3840,6 +3963,9 @@ "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -3933,6 +4059,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4026,6 +4155,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4109,6 +4241,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.id": "Unknown", "user_agent.device.name": "Other", "user_agent.name": "Firefox", @@ -4200,6 +4335,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4293,6 +4431,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4386,6 +4527,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4479,6 +4623,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4572,6 +4719,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4665,6 +4815,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4758,6 +4911,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4851,6 +5007,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -4944,6 +5103,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5037,6 +5199,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5130,6 +5295,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5223,6 +5391,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5316,6 +5487,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5406,6 +5580,9 @@ "source.geo.location.lat": 40.4172, "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5499,6 +5676,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5592,6 +5772,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5685,6 +5868,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5778,6 +5964,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5871,6 +6060,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -5964,6 +6156,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -6057,6 +6252,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -6150,6 +6348,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -6243,6 +6444,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", @@ -6336,6 +6540,9 @@ "source.geo.region_iso_code": "ES-B", "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", diff --git a/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json index d0ed002d522..05c952c3a79 100644 --- a/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json @@ -54,6 +54,9 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "source.port": "12345", + "tags": [ + "cloud" + ], "user.email": "alice@testsiem2.onmicrosoft.com", "user.id": "36787265537" }, @@ -103,6 +106,9 @@ "service.type": "o365", "source.ip": "fdfd::555", "source.port": "12346", + "tags": [ + "cloud" + ], "user.email": "asr@testsiem2.onmicrosoft.com", "user.id": "36085768193" } diff --git a/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json b/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json index 40e3e3dd3ad..a91040b14d4 100644 --- a/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json @@ -29,6 +29,9 @@ "o365.audit.Workload": "MicrosoftTeams", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "Application" }, { @@ -85,6 +88,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "asr", "service.type": "o365", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -128,6 +134,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "asr", "service.type": "o365", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -162,6 +171,9 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "related.user": "bob", "service.type": "o365", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "bob@testsiem.onmicrosoft.com", "user.name": "bob" diff --git a/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json b/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json index beee3341761..97e6ac440ce 100644 --- a/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json @@ -57,6 +57,9 @@ ], "rule.ruleset": "User", "service.type": "o365", + "tags": [ + "cloud" + ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr" @@ -108,6 +111,9 @@ "rule.name": "Elevation of Exchange admin privilege", "rule.reference": "http://example.net/single", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "SecurityComplianceAlerts" }, { @@ -159,6 +165,9 @@ "rule.name": "Phony Malware Alert", "rule.ruleset": "MalwareFamily", "service.type": "o365", + "tags": [ + "cloud" + ], "threat.technique.id": "Malware/Evil.Malware.B", "user.id": "SecurityComplianceAlerts" } diff --git a/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log-expected.json b/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log-expected.json index 3ea637aee91..5b5d74e5f5d 100644 --- a/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log-expected.json @@ -28,6 +28,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "Service Account" }, { @@ -59,6 +62,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "Service Account" }, { @@ -90,6 +96,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "Service Account" }, { @@ -121,6 +130,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "Service Account" }, { @@ -152,6 +164,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "Service Account" }, { @@ -183,6 +198,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "Service Account" }, { @@ -214,6 +232,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "Service Account" }, { @@ -245,6 +266,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "Service Account" }, { @@ -276,6 +300,9 @@ "o365.audit.Workload": "SecurityComplianceCenter", "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", + "tags": [ + "cloud" + ], "user.id": "Service Account" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/okta/system/config/input.yml b/x-pack/filebeat/module/okta/system/config/input.yml index 79181de3c56..d824a23a010 100644 --- a/x-pack/filebeat/module/okta/system/config/input.yml +++ b/x-pack/filebeat/module/okta/system/config/input.yml @@ -25,6 +25,8 @@ paths: exclude_files: [".gz$"] {{ end }} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "cloud" }} processors: - script: diff --git a/x-pack/filebeat/module/okta/system/manifest.yml b/x-pack/filebeat/module/okta/system/manifest.yml index 639a4c95c80..b07590b8771 100644 --- a/x-pack/filebeat/module/okta/system/manifest.yml +++ b/x-pack/filebeat/module/okta/system/manifest.yml @@ -46,6 +46,8 @@ var: - name: ssl default: |- {} + - name: tags + default: [cloud] input: config/input.yml ingest_pipeline: ingest/pipeline.yml diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json index 5406413e333..56d698198d5 100644 --- a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json +++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json @@ -62,6 +62,9 @@ "source.ip": "108.255.197.247", "source.user.full_name": "xxxxxx", "source.user.id": "00u1abvz4pYqdM8ms4x6", + "tags": [ + "cloud" + ], "user_agent.device.name": "Other", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", @@ -134,6 +137,9 @@ "source.ip": "108.255.197.247", "source.user.full_name": "xxxxxx", "source.user.id": "00u1abvz4pYqdM8ms4x6", + "tags": [ + "cloud" + ], "user_agent.device.name": "Other", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", @@ -221,6 +227,9 @@ "source.ip": "108.255.197.247", "source.user.full_name": "xxxxxx", "source.user.id": "00u1abvz4pYqdM8ms4x6", + "tags": [ + "cloud" + ], "user_agent.device.name": "Other", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", diff --git a/x-pack/filebeat/module/panw/panos/config/input.yml b/x-pack/filebeat/module/panw/panos/config/input.yml index 01c83a6f789..845310985a1 100644 --- a/x-pack/filebeat/module/panw/panos/config/input.yml +++ b/x-pack/filebeat/module/panw/panos/config/input.yml @@ -15,7 +15,15 @@ exclude_files: [".gz$"] {{ end }} -tags: {{.tags}} +tags: {{.tags | tojson}} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} + +fields_under_root: true +fields: + observer: + vendor: Palo Alto Networks + product: PAN-OS + type: firewall processors: - add_locale: ~ diff --git a/x-pack/filebeat/module/panw/panos/manifest.yml b/x-pack/filebeat/module/panw/panos/manifest.yml index 4c356d65080..36f901c2845 100644 --- a/x-pack/filebeat/module/panw/panos/manifest.yml +++ b/x-pack/filebeat/module/panw/panos/manifest.yml @@ -5,7 +5,7 @@ var: default: - /var/log/pan-os.log - name: tags - default: [pan-os] + default: [pan-os, forwarded] - name: syslog_host default: localhost - name: syslog_port diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json index 5b43295399c..078655fbc54 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_other.log-expected.json @@ -52,7 +52,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -91,7 +94,8 @@ "source.port": 59309, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json index f6ca00ac200..b92347c5645 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_threat.log-expected.json @@ -45,7 +45,10 @@ "network.community_id": "1:mY2EPMYo0US42k87/2uTzjo/rGA=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -83,7 +86,8 @@ "source.port": 59309, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "lorexx.cn/loader.exe" }, @@ -133,7 +137,10 @@ "network.community_id": "1:0fIOSC1t62T9ExNKvZaxl657EVc=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -171,7 +178,8 @@ "source.port": 59313, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "lsiu.info/evo/count.php?o=2" }, @@ -221,7 +229,10 @@ "network.community_id": "1:bZl1JgwyPgfsbSrD+z8I/hpbdc4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -259,7 +270,8 @@ "source.port": 59314, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "lsiu.info/evo/count.php?o=5" }, @@ -309,7 +321,10 @@ "network.community_id": "1:ghLw4NDj0JmAhH9lVtlhdQpqEQ0=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -347,7 +362,8 @@ "source.port": 59315, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "lsiu.info/evo/count.php?o=7" }, @@ -397,7 +413,10 @@ "network.community_id": "1:aiB5YppFUGX0pM/1Xtp3qOSFXJw=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -435,7 +454,8 @@ "source.port": 59316, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "lsiu.info/evo/exploits/x18.php?o=2&t=1241403746&i=1365814122" }, @@ -485,7 +505,10 @@ "network.community_id": "1:GOqfpUTezPkpm6axBI22kY90kU4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -523,7 +546,8 @@ "source.port": 59317, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "lsiu.info/evo/exploits/x19.php?o=2&t=1241403746&i=1365814122" }, @@ -573,7 +597,10 @@ "network.community_id": "1:22ouAyA1O0KgUQOEKP20E7gNa2U=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -611,7 +638,8 @@ "source.port": 59302, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "liteautobestguide.cn/load.php" }, @@ -661,7 +689,10 @@ "network.community_id": "1:phQpgsVhj3YxNYzeNkqdzDgcMCg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -699,7 +730,8 @@ "source.port": 59301, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "liteautobestguide.cn/index.php" }, @@ -749,7 +781,10 @@ "network.community_id": "1:6kV576B7jMsBLC62npA6Dgi/zMI=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -787,7 +822,8 @@ "source.port": 59303, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "litetopdetect.cn/index.php" }, @@ -837,7 +873,10 @@ "network.community_id": "1:h+XKHvMK2Oz7QQvaJdhsJWE2c9E=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -875,7 +914,8 @@ "source.port": 59304, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "lkmpmlm.com/fff9999.php?aid=0&uid=6cbbc5081e7548e276611ff5059df6ed30c8f8f1&os=513" }, @@ -925,7 +965,10 @@ "network.community_id": "1:Sa+u435/AIAAeEelFduJmiGLOv0=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -963,7 +1006,8 @@ "source.port": 59297, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "girlteenxxxfreemov.com/" }, @@ -1013,7 +1057,10 @@ "network.community_id": "1:C9009xCOuCuGvMPT4caMCizoYr0=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1051,7 +1098,8 @@ "source.port": 59299, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "imagesrepository.com/resolution.php" }, @@ -1101,7 +1149,10 @@ "network.community_id": "1:BG6Rk6e+H9jRcZHXqRPFG4iA3uU=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1139,7 +1190,8 @@ "source.port": 59298, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "hottestfiles.com/search/search.php?q=xxx" }, @@ -1188,7 +1240,10 @@ "network.community_id": "1:YDMNSbru670DK5EMT3E28WFJPz4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1226,7 +1281,8 @@ "source.port": 59300, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "infodist1.com/in.cgi?11¶meter=404" }, @@ -1276,7 +1332,10 @@ "network.community_id": "1:AEtFqIuwxZ9TQ3w9m74nOrboCXE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1314,7 +1373,8 @@ "source.port": 59295, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "cls-softwares.com/suc.php" }, @@ -1364,7 +1424,10 @@ "network.community_id": "1:AuQEAPptnfXLW8oL/ac3CM4Gnnw=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1402,7 +1465,8 @@ "source.port": 59291, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "cls-softwares.com/softwarefortubeview.40013.exe" }, @@ -1448,7 +1512,10 @@ "network.community_id": "1:v73LbTZDPLO+1dzNRixeZAmolJ0=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1486,7 +1553,8 @@ "source.port": 59296, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "findmorepill.com/klik/search.php?q=xxx" }, @@ -1536,7 +1604,10 @@ "network.community_id": "1:IRI0j5xLyLhwaONpy7gVZdl/Qow=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1574,7 +1645,8 @@ "source.port": 59280, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "allowedwebsurfing.com/" }, @@ -1624,7 +1696,10 @@ "network.community_id": "1:/tG+YfZ8qFKrUDfQ7EThCBXci9Y=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1662,7 +1737,8 @@ "source.port": 59281, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "antivirus-remote.com/" }, @@ -1712,7 +1788,10 @@ "network.community_id": "1:Vfi4CxQayypb3DoxclNfeNjXdjo=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1750,7 +1829,8 @@ "source.port": 59282, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "bklinkov.ru/hi/start.cfg" }, @@ -1800,7 +1880,10 @@ "network.community_id": "1:2UbFMV1DsXMB0b/AUotNCCsHm0s=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1838,7 +1921,8 @@ "source.port": 59290, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "blogsexnakedgirlxxx.com/" }, @@ -1888,7 +1972,10 @@ "network.community_id": "1:M8DHGZjrHyuCRpC9MNNfDUke5g4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1926,7 +2013,8 @@ "source.port": 59286, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "bklinkov.ru/hi/start.exe" }, @@ -1976,7 +2064,10 @@ "network.community_id": "1:AVMiOufq2owuhWpcu/TfRJ38tv4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2014,7 +2105,8 @@ "source.port": 59275, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2064,7 +2156,10 @@ "network.community_id": "1:/+Opb16c1ye6uLeu1/TNC+SGnYs=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2102,7 +2197,8 @@ "source.port": 59277, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2152,7 +2248,10 @@ "network.community_id": "1:uslltTePy/m8Gxhk/MgPbZfk6Rg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2190,7 +2289,8 @@ "source.port": 59276, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2240,7 +2340,10 @@ "network.community_id": "1:WiUImNtgjkeNDi1Qigg7+Y6pDAg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2278,7 +2381,8 @@ "source.port": 59278, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2328,7 +2432,10 @@ "network.community_id": "1:FmIwID3HJ4Q0574SjlhMHApz/Hs=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2366,7 +2473,8 @@ "source.port": 59279, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2416,7 +2524,10 @@ "network.community_id": "1:6AuZBrHKsUJjLNgm/mJ5QToaPo8=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2454,7 +2565,8 @@ "source.port": 59271, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2504,7 +2616,10 @@ "network.community_id": "1:NwAT+gtzMjRwKS71Tn+YaKwyOvI=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2542,7 +2657,8 @@ "source.port": 59269, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2592,7 +2708,10 @@ "network.community_id": "1:mTTbk9h6Dgx6lH3l4aEHguufZVE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2630,7 +2749,8 @@ "source.port": 59270, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2680,7 +2800,10 @@ "network.community_id": "1:/0xM0KlMLwieymkDApfqS3/WWiQ=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2718,7 +2841,8 @@ "source.port": 59274, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2768,7 +2892,10 @@ "network.community_id": "1:VLKKVfau50s2qjTDcucU+VKCAqY=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2806,7 +2933,8 @@ "source.port": 59273, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2856,7 +2984,10 @@ "network.community_id": "1:jAvA0C85T0GFKryKA312lLEtKIM=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2894,7 +3025,8 @@ "source.port": 59272, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "-/" }, @@ -2940,7 +3072,10 @@ "network.community_id": "1:Jqiwb/u74kolY3Y1yGkp+oMAxT4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2978,7 +3113,8 @@ "source.port": 59261, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "wantfinest.com/tds/in.cgi?default" }, @@ -3024,7 +3160,10 @@ "network.community_id": "1:q84mXt2kLt843wk0Y5vtvJwq+bc=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3062,7 +3201,8 @@ "source.port": 59248, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "sameshitasiteverwas.com/traf/tds/in.cgi?2" }, @@ -3108,7 +3248,10 @@ "network.community_id": "1:1jDSU+BTdTOAQSrWGRbSjxehwNg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3146,7 +3289,8 @@ "source.port": 59251, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "svarkon.ru/update.exe" }, @@ -3195,7 +3339,10 @@ "network.community_id": "1:vGp9HpobYZmzzLGyDAG6oVAe4dg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3233,7 +3380,8 @@ "source.port": 59244, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "onlinescanxpp.com/land/eurl/1.php?code=" }, @@ -3279,7 +3427,10 @@ "network.community_id": "1:8JiI5Ka3Oyz6yaLm3xObTqAo/Jw=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3317,7 +3468,8 @@ "source.port": 59237, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "nolagtime.com/conn/?JKV_1RWbUUdIfRUWUaITfdIfbREdYEYdfTTRI-6XBB_1WQR-6GF5_1AU-6LC6_1Y-gW-gEUQQ-gE-tsDF6K5D_rpX51_rR-t-66FC_1Q_fQ_fQ_fQ_fQ_fQ_fQ_fQ-62BG_1Q-672V_1YOR-6N8J_1Q-6252_1WQRR-69LV_1-65GZ_1W-6" }, @@ -3363,7 +3515,10 @@ "network.community_id": "1:lOdKYo+aMIHRMMJPawuXy8Bk2I0=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3401,7 +3556,8 @@ "source.port": 59238, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "nolagtime.com/gwc.txt" }, @@ -3450,7 +3606,10 @@ "network.community_id": "1:rDRkkTH2aHta89i52OraqG5WcDI=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3488,7 +3647,8 @@ "source.port": 59010, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "karavan.us/bon/index.php" }, @@ -3534,7 +3694,10 @@ "network.community_id": "1:00fHGTkjtblnJQ9P4Wiw9QuDEpI=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3572,7 +3735,8 @@ "source.port": 58969, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "findnolimits.com/go.php?sid=1" }, @@ -3618,7 +3782,10 @@ "network.community_id": "1:sQ6YL9T0OZftMg71BK+1IHpXIRM=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3656,7 +3823,8 @@ "source.port": 58941, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "bizoplata.ru/moun.html" }, @@ -3702,7 +3870,10 @@ "network.community_id": "1:a3rlKRtYt43mps+uHBznJUtG3Qg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3740,7 +3911,8 @@ "source.port": 58942, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "bizoplata.ru/palast.html" }, @@ -3777,7 +3949,10 @@ "network.community_id": "1:gfZAOGdC3xAoPZCFZCwHJJ7Iin4=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "drop-all-packets", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3824,7 +3999,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "controller.php" }, @@ -3873,7 +4049,10 @@ "network.community_id": "1:VeoAydUSFUdh8ZddIqbsMY32sBU=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3911,7 +4090,8 @@ "source.port": 58856, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "www.15min.it/" }, @@ -3957,7 +4137,10 @@ "network.community_id": "1:ZsFVG8FJVifp8WmzI9Zj/lo+dB4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3995,7 +4178,8 @@ "source.port": 58847, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "tubemov.com/" }, @@ -4041,7 +4225,10 @@ "network.community_id": "1:NAfQ33YdKJSvbcxpFK8HIhI39lk=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4079,7 +4266,8 @@ "source.port": 58841, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "pagesinxt.com/?dn=teenstube.us&flrdr=yes&nxte=js" }, @@ -4125,7 +4313,10 @@ "network.community_id": "1:AMcTUl91PN0z8TJr2QwdEOP+Fmo=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4163,7 +4354,8 @@ "source.port": 58795, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "movfree.com/" }, @@ -4212,7 +4404,10 @@ "network.community_id": "1:7Tdwe73AJMSdJL4hxpQDyl5Lwn4=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4250,7 +4445,8 @@ "source.port": 58753, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "gometascan.com/" }, @@ -4299,7 +4495,10 @@ "network.community_id": "1:q7ERSuCoAPSiI8xLXZCI+1M9B8I=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4337,7 +4536,8 @@ "source.port": 58708, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "antivirus-powerful-scannerv2.com/download/Install_11-1.exe" }, @@ -4386,7 +4586,10 @@ "network.community_id": "1:AsPpOgQhhKdBtPhY4zahdBuNcTc=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4424,7 +4627,8 @@ "source.port": 58707, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "antivirus-powerful-scannerv2.com/1/?id=11-1&back==TQzyDTyMUQNMI=N" }, @@ -4473,7 +4677,10 @@ "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "1606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4511,7 +4718,8 @@ "source.port": 58603, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "basdzsdas.com/poker/config.bin" }, @@ -4560,7 +4768,10 @@ "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "1606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4598,7 +4809,8 @@ "source.port": 58603, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "basdzsdas.com/poker/config.bin" }, @@ -4638,7 +4850,10 @@ "network.community_id": "1:to6WA2KM9vqO74DfMPJ8+v0cKPs=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "1606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4685,7 +4900,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "uLLGRaXP.exe" }, @@ -4734,7 +4950,10 @@ "network.community_id": "1:Inta5pHrKZ+nIMo9QJjgmv1raGE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "1606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4772,7 +4991,8 @@ "source.port": 58603, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "basdzsdas.com/poker/config.bin" }, @@ -4812,7 +5032,10 @@ "network.community_id": "1:dHpseryW+AZk/t5IUvlyhaLSGI0=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4859,7 +5082,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "FunkyEmoticons_setup.exe" }, @@ -4899,7 +5123,10 @@ "network.community_id": "1:lIp7rPLlF21gCwZ63WafZ2HbNKA=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4945,7 +5172,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "52hxw.exe" }, @@ -4994,7 +5222,10 @@ "network.community_id": "1:n39Q6RPkLwPiDU/pfHT7uRZGkXY=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5032,7 +5263,8 @@ "source.port": 63007, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "softsellfast.com/test/config.bin" }, @@ -5072,7 +5304,10 @@ "network.community_id": "1:69YGwS9/vtp36Khj80nU/Q0TTfM=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5116,7 +5351,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "setup.exe" }, @@ -5156,7 +5392,10 @@ "network.community_id": "1:MKMWzixtfYaSoShU7T3wN6MLk5g=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5203,7 +5442,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "Live-Player_setup.exe" }, @@ -5249,7 +5489,10 @@ "network.community_id": "1:J4hfLZVy8UJEkW68RkW2hMu84Wk=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5287,7 +5530,8 @@ "source.port": 59709, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "boialex.narod.ru/config.txt" }, @@ -5333,7 +5577,10 @@ "network.community_id": "1:1211QM61Juawz4PBXLQBL9Q2FNA=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5371,7 +5618,8 @@ "source.port": 59721, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "edw-melon.narod.ru/config.txt" }, @@ -5417,7 +5665,10 @@ "network.community_id": "1:MQfJlERz16LAn6Hn1YhCNKLOjjA=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5455,7 +5706,8 @@ "source.port": 59752, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "maximtushin.narod.ru/config.txt" }, @@ -5495,7 +5747,10 @@ "network.community_id": "1:to6WA2KM9vqO74DfMPJ8+v0cKPs=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5542,7 +5797,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "uLLGRaXP.exe" }, @@ -5591,7 +5847,10 @@ "network.community_id": "1:uO6RhHsqSUg1LHv5h+n+FE4cqrE=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5629,7 +5888,8 @@ "source.port": 63183, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "marketingsoluchion.biz/fkn/config.bin" }, @@ -5678,7 +5938,10 @@ "network.community_id": "1:KC3xpBK9CdouZqamG9S6Mjl6LIo=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5716,7 +5979,8 @@ "source.port": 1047, "source.user.name": "jordy", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "default.aspx" }, @@ -5756,7 +6020,10 @@ "network.community_id": "1:qtNTXnMjHLAldLWQ5/jdyuCV6Yk=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5803,7 +6070,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "sck.aspx" }, @@ -5843,7 +6111,10 @@ "network.community_id": "1:OSQCnxYE2CqKztyfnzJHya/llPw=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5890,7 +6161,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "ADSAdClient31.dll" }, @@ -5939,7 +6211,10 @@ "network.community_id": "1:MeB0cefg5kMN7f+LW+cirwH2nA8=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5977,7 +6252,8 @@ "source.port": 1048, "source.user.name": "jordy", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "c.gif" }, @@ -6017,7 +6293,10 @@ "network.community_id": "1:iDmf9CnG+CdUuHWmwVsmhee3/Qs=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6061,7 +6340,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "csi" }, @@ -6107,7 +6387,10 @@ "network.community_id": "1:c67I85z1uJV7VW6M9MR5Q8fjHQM=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6145,7 +6428,8 @@ "source.port": 57502, "source.user.name": "picard", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "internal-tuner.pandora.com" }, @@ -6185,7 +6469,10 @@ "network.community_id": "1:w5GKumufuJCv3Gw8bvP3vTxap24=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6229,7 +6516,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -6269,7 +6557,10 @@ "network.community_id": "1:a7oyQr47OdJP8ZnG9SCELvH8aco=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "deny", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6316,7 +6607,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "about.exe" }, @@ -6356,7 +6648,10 @@ "network.community_id": "1:yyAK8WOE46l0/k8dVOECI6qa2zQ=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6400,7 +6695,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -6440,7 +6736,10 @@ "network.community_id": "1:15fj8zz0nlNi/Fnz8ibhS9Ihqdg=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6484,7 +6783,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -6524,7 +6824,10 @@ "network.community_id": "1:fl9AVyrQeXPX/eoeKOy+6/UoR8M=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6568,7 +6871,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -6608,7 +6912,10 @@ "network.community_id": "1:cHzYL+SCc86AntedL6fbRx+2wzE=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6652,7 +6959,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -6698,7 +7006,10 @@ "network.community_id": "1:pRuFj5DzdmtFceU+OTawbYPhbJg=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6736,7 +7047,8 @@ "source.port": 52366, "source.user.name": "picard", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "__utm.gif" }, @@ -6776,7 +7088,10 @@ "network.community_id": "1:e27i7C6aBac+TOOJNFkXsvos7v0=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6820,7 +7135,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -6860,7 +7176,10 @@ "network.community_id": "1:I0nRW7fXHKg0He8sWEMh90mqrd8=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6904,7 +7223,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "nav_logo107.png" }, @@ -6944,7 +7264,10 @@ "network.community_id": "1:W08oA4XVHxagaCryNLen9OoTnPk=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6988,7 +7311,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "Eadweard_Muybridge" }, @@ -7028,7 +7352,10 @@ "network.community_id": "1:tvB7u/5+rW38IXXGXjbdYYdzJ5s=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7072,7 +7399,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "load.php" }, @@ -7112,7 +7440,10 @@ "network.community_id": "1:LvKTW1EWi7nem/oAlX14Sg2W9kU=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7159,7 +7490,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "8fe44cb728c0f40750c64ee906eb72.css" }, @@ -7199,7 +7531,10 @@ "network.community_id": "1:Iur0h7DmmxbVfmJ8EKqn0v73b88=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7243,7 +7578,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -7283,7 +7619,10 @@ "network.community_id": "1:n3f9RX9U3DOM57vpn8aB1QSo2Yw=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7327,7 +7666,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -7367,7 +7707,10 @@ "network.community_id": "1:K6mY9EnrwYs1/a01d++OZ3kna2g=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7414,7 +7757,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "appcast.xml" }, @@ -7454,7 +7798,10 @@ "network.community_id": "1:u89cWOeFF4sWlYYJHVB+nr6g6Qg=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7498,7 +7845,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -7538,7 +7886,10 @@ "network.community_id": "1:QmMWJ0pdk04yRgDj9m6OAKnXpDY=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7582,7 +7933,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "csi" }, @@ -7622,7 +7974,10 @@ "network.community_id": "1:d3Kvg96HWrCNAfAK3vx2Uqglkdo=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7669,7 +8024,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "index.php" }, @@ -7709,7 +8065,10 @@ "network.community_id": "1:+c2DVc+anjtRZ3iRsjbG51UM+JA=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7753,7 +8112,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -7799,7 +8159,10 @@ "network.community_id": "1:5z6QdMj01RaYM1NdZtQSRQgE9gk=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7837,7 +8200,8 @@ "source.port": 49681, "source.user.name": "picard", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "__utm.gif" }, @@ -7877,7 +8241,10 @@ "network.community_id": "1:Ut9W+vlgpMAH7M4p87nZ/gF7zO8=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7921,7 +8288,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -7961,7 +8329,10 @@ "network.community_id": "1:MNjszUBgbVupAxKdr7W7OIvU2lo=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8005,7 +8376,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -8051,7 +8423,10 @@ "network.community_id": "1:PzMJQoALQDxnDaqwOEEz4zxyhHU=", "network.direction": "inbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8089,7 +8464,8 @@ "source.port": 59781, "source.user.name": "jordy", "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "internal-tuner.pandora.com" }, @@ -8129,7 +8505,10 @@ "network.community_id": "1:ThkQfWduH5PZoI7qa/R4rWqT2VM=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8173,7 +8552,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -8213,7 +8593,10 @@ "network.community_id": "1:Fd/TWc6RIS9q2bsgzztXrAAL4Ek=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8257,7 +8640,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -8297,7 +8681,10 @@ "network.community_id": "1:7gqxhjxtnxyQnsvGukcI+WZWzAY=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8341,7 +8728,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -8381,7 +8769,10 @@ "network.community_id": "1:ZzHOd7AFzjbGqVCj9S3bTNHFX4Q=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8425,7 +8816,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" }, @@ -8465,7 +8857,10 @@ "network.community_id": "1:uH37XIov0Sgv5kARW8dP9vrOs7w=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "alert", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8509,7 +8904,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "ga.js" }, @@ -8549,7 +8945,10 @@ "network.community_id": "1:9jnjFXERN6VFakI1U/qwzyqifzg=", "network.direction": "outbound", "network.transport": "tcp", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8593,7 +8992,8 @@ "source.nat.port": 0, "source.port": 80, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "js" } diff --git a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json index c285f88d43d..5ce8f5cbe7c 100644 --- a/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/pan_inc_traffic.log-expected.json @@ -52,7 +52,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -91,7 +94,8 @@ "source.port": 59324, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -144,7 +148,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -183,7 +190,8 @@ "source.port": 54448, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -236,7 +244,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -275,7 +286,8 @@ "source.port": 53121, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -331,7 +343,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -370,7 +385,8 @@ "source.port": 59323, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -426,7 +442,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -465,7 +484,8 @@ "source.port": 59322, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -518,7 +538,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -557,7 +580,8 @@ "source.port": 55766, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -610,7 +634,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -649,7 +676,8 @@ "source.port": 55072, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -705,7 +733,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -744,7 +775,8 @@ "source.port": 59207, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -800,7 +832,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -839,7 +874,8 @@ "source.port": 59209, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -895,7 +931,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -934,7 +973,8 @@ "source.port": 59208, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -990,7 +1030,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1029,7 +1072,8 @@ "source.port": 59318, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1085,7 +1129,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1124,7 +1171,8 @@ "source.port": 59317, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1180,7 +1228,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1219,7 +1270,8 @@ "source.port": 59316, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1275,7 +1327,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1314,7 +1369,8 @@ "source.port": 59315, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1370,7 +1426,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1409,7 +1468,8 @@ "source.port": 59206, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1465,7 +1525,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1504,7 +1567,8 @@ "source.port": 59205, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1560,7 +1624,10 @@ "network.packets": 21, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1599,7 +1666,8 @@ "source.port": 56858, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1655,7 +1723,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1694,7 +1765,8 @@ "source.port": 59314, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1750,7 +1822,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1789,7 +1864,8 @@ "source.port": 59313, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1842,7 +1918,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1881,7 +1960,8 @@ "source.port": 52139, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1934,7 +2014,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -1973,7 +2056,8 @@ "source.port": 60592, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2029,7 +2113,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2068,7 +2155,8 @@ "source.port": 59309, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2121,7 +2209,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2160,7 +2251,8 @@ "source.port": 57322, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2216,7 +2308,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2255,7 +2350,8 @@ "source.port": 59204, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2311,7 +2407,10 @@ "network.packets": 10, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2350,7 +2449,8 @@ "source.port": 59203, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2406,7 +2506,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2445,7 +2548,8 @@ "source.port": 59305, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2498,7 +2602,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2537,7 +2644,8 @@ "source.port": 64005, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2590,7 +2698,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2629,7 +2740,8 @@ "source.port": 58768, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2685,7 +2797,10 @@ "network.packets": 16, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2724,7 +2839,8 @@ "source.port": 47752, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2780,7 +2896,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2819,7 +2938,8 @@ "source.port": 59304, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2872,7 +2992,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -2911,7 +3034,8 @@ "source.port": 54533, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2967,7 +3091,10 @@ "network.packets": 20, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3006,7 +3133,8 @@ "source.port": 59201, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3062,7 +3190,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3101,7 +3232,8 @@ "source.port": 59303, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3154,7 +3286,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3193,7 +3328,8 @@ "source.port": 50876, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3246,7 +3382,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3285,7 +3424,8 @@ "source.port": 57657, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3341,7 +3481,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3380,7 +3523,8 @@ "source.port": 59302, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3436,7 +3580,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3475,7 +3622,8 @@ "source.port": 59301, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3528,7 +3676,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3567,7 +3718,8 @@ "source.port": 64844, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3620,7 +3772,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3659,7 +3814,8 @@ "source.port": 52257, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3710,7 +3866,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3744,7 +3903,8 @@ "source.packets": 1, "source.port": 38796, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3797,7 +3957,10 @@ "network.packets": 13, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3836,7 +3999,8 @@ "source.port": 59200, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3890,7 +4054,10 @@ "network.packets": 17, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -3924,7 +4091,8 @@ "source.packets": 7, "source.port": 48412, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3980,7 +4148,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4019,7 +4190,8 @@ "source.port": 47752, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4075,7 +4247,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4114,7 +4289,8 @@ "source.port": 47752, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4165,7 +4341,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4199,7 +4378,8 @@ "source.packets": 1, "source.port": 52189, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4255,7 +4435,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4294,7 +4477,8 @@ "source.port": 59300, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4347,7 +4531,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4386,7 +4573,8 @@ "source.port": 54414, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4442,7 +4630,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4481,7 +4672,8 @@ "source.port": 59299, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4534,7 +4726,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4573,7 +4768,8 @@ "source.port": 60399, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4626,7 +4822,10 @@ "network.packets": 4, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4665,7 +4864,8 @@ "source.port": 59626, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4718,7 +4918,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4757,7 +4960,8 @@ "source.port": 51542, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4810,7 +5014,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4849,7 +5056,8 @@ "source.port": 54182, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4902,7 +5110,10 @@ "network.packets": 13, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -4941,7 +5152,8 @@ "source.port": 59199, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4997,7 +5209,10 @@ "network.packets": 22, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5036,7 +5251,8 @@ "source.port": 59198, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5092,7 +5308,10 @@ "network.packets": 21, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5131,7 +5350,8 @@ "source.port": 56856, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5184,7 +5404,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5223,7 +5446,8 @@ "source.port": 52489, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5279,7 +5503,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5318,7 +5545,8 @@ "source.port": 59298, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5371,7 +5599,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5410,7 +5641,8 @@ "source.port": 60185, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5463,7 +5695,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5502,7 +5737,8 @@ "source.port": 51817, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5558,7 +5794,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5597,7 +5836,8 @@ "source.port": 47752, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5653,7 +5893,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5692,7 +5935,8 @@ "source.port": 59297, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5745,7 +5989,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5784,7 +6031,8 @@ "source.port": 52537, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5837,7 +6085,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5876,7 +6127,8 @@ "source.port": 53155, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5929,7 +6181,10 @@ "network.packets": 13, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -5968,7 +6223,8 @@ "source.port": 59197, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6021,7 +6277,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6060,7 +6319,8 @@ "source.port": 56995, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6113,7 +6373,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6152,7 +6415,8 @@ "source.port": 59069, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6205,7 +6469,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6244,7 +6511,8 @@ "source.port": 55697, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6300,7 +6568,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6339,7 +6610,8 @@ "source.port": 59295, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6392,7 +6664,10 @@ "network.packets": 13, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6431,7 +6706,8 @@ "source.port": 59196, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6487,7 +6763,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6526,7 +6805,8 @@ "source.port": 59291, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6579,7 +6859,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6618,7 +6901,8 @@ "source.port": 52858, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6671,7 +6955,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6710,7 +6997,8 @@ "source.port": 61383, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6766,7 +7054,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6805,7 +7096,8 @@ "source.port": 59290, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6858,7 +7150,10 @@ "network.packets": 39, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6897,7 +7192,8 @@ "source.port": 59195, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6950,7 +7246,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -6989,7 +7288,8 @@ "source.port": 49812, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7042,7 +7342,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7081,7 +7384,8 @@ "source.port": 50185, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7137,7 +7441,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7176,7 +7483,8 @@ "source.port": 59286, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7223,7 +7531,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7262,7 +7573,8 @@ "source.port": 52531, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7318,7 +7630,10 @@ "network.packets": 21, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7357,7 +7672,8 @@ "source.port": 59194, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7413,7 +7729,10 @@ "network.packets": 22, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7452,7 +7771,8 @@ "source.port": 59192, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7499,7 +7819,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7538,7 +7861,8 @@ "source.port": 56463, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7585,7 +7909,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7624,7 +7951,8 @@ "source.port": 55849, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7680,7 +8008,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7719,7 +8050,8 @@ "source.port": 59282, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7772,7 +8104,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7811,7 +8146,8 @@ "source.port": 57846, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7864,7 +8200,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7903,7 +8242,8 @@ "source.port": 51008, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7959,7 +8299,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -7998,7 +8341,8 @@ "source.port": 59281, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8051,7 +8395,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8090,7 +8437,8 @@ "source.port": 55252, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8137,7 +8485,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8176,7 +8527,8 @@ "source.port": 56995, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8229,7 +8581,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8268,7 +8623,8 @@ "source.port": 60989, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8324,7 +8680,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8363,7 +8722,8 @@ "source.port": 59280, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8416,7 +8776,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8455,7 +8818,8 @@ "source.port": 53766, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8508,7 +8872,10 @@ "network.packets": 1, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8547,7 +8914,8 @@ "source.port": 56032, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8600,7 +8968,10 @@ "network.packets": 13, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8639,7 +9010,8 @@ "source.port": 59193, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8695,7 +9067,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8734,7 +9109,8 @@ "source.port": 59279, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8790,7 +9166,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8829,7 +9208,8 @@ "source.port": 59278, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8885,7 +9265,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -8924,7 +9307,8 @@ "source.port": 59277, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8971,7 +9355,10 @@ "network.packets": 2, "network.transport": "udp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -9010,7 +9397,8 @@ "source.port": 60026, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9066,7 +9454,10 @@ "network.packets": 4, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -9105,7 +9496,8 @@ "source.port": 59276, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9161,7 +9553,10 @@ "network.packets": 4, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -9200,7 +9595,8 @@ "source.port": 59275, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9256,7 +9652,10 @@ "network.packets": 1, "network.transport": "tcp", "network.type": "ipv4", + "observer.product": "PAN-OS", "observer.serial_number": "01606001116", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "0.0.0.0", @@ -9295,7 +9694,8 @@ "source.port": 59274, "source.user.name": "crusher", "tags": [ - "pan-os" + "pan-os", + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json index c17fcbee131..f3e4b670c1c 100644 --- a/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/threat.log-expected.json @@ -45,7 +45,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -79,7 +82,8 @@ "source.nat.port": 37679, "source.port": 52984, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -129,7 +133,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -163,7 +170,8 @@ "source.nat.port": 28249, "source.port": 52983, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -213,7 +221,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -247,7 +258,8 @@ "source.nat.port": 63898, "source.port": 52986, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -297,7 +309,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -331,7 +346,8 @@ "source.nat.port": 7515, "source.port": 52985, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -381,7 +397,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -415,7 +434,8 @@ "source.nat.port": 3225, "source.port": 52987, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -465,7 +485,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -499,7 +522,8 @@ "source.nat.port": 60449, "source.port": 52988, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -549,7 +573,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -583,7 +610,8 @@ "source.nat.port": 60559, "source.port": 52990, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -633,7 +661,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -667,7 +698,8 @@ "source.nat.port": 47414, "source.port": 52989, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -717,7 +749,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -751,7 +786,8 @@ "source.nat.port": 37673, "source.port": 52992, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -801,7 +837,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -835,7 +874,8 @@ "source.nat.port": 8232, "source.port": 52991, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -885,7 +925,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -919,7 +962,8 @@ "source.nat.port": 32982, "source.port": 52994, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -969,7 +1013,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1003,7 +1050,8 @@ "source.nat.port": 10473, "source.port": 52993, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1053,7 +1101,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1087,7 +1138,8 @@ "source.nat.port": 20446, "source.port": 52995, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1137,7 +1189,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1171,7 +1226,8 @@ "source.nat.port": 34699, "source.port": 52996, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1221,7 +1277,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1255,7 +1314,8 @@ "source.nat.port": 22820, "source.port": 52997, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1305,7 +1365,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1339,7 +1402,8 @@ "source.nat.port": 41060, "source.port": 52998, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1389,7 +1453,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1423,7 +1490,8 @@ "source.nat.port": 9058, "source.port": 52999, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1473,7 +1541,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1507,7 +1578,8 @@ "source.nat.port": 54846, "source.port": 53001, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1557,7 +1629,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1591,7 +1666,8 @@ "source.nat.port": 52731, "source.port": 53002, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1641,7 +1717,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1675,7 +1754,8 @@ "source.nat.port": 15165, "source.port": 53003, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1725,7 +1805,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.137.131", @@ -1759,7 +1842,8 @@ "source.nat.port": 53918, "source.port": 53004, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "b.scorecardresearch.com/" }, @@ -1809,7 +1893,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1843,7 +1930,8 @@ "source.nat.port": 40792, "source.port": 53000, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1893,7 +1981,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -1927,7 +2018,8 @@ "source.nat.port": 54044, "source.port": 53006, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -1977,7 +2069,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2011,7 +2106,8 @@ "source.nat.port": 19544, "source.port": 53007, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2061,7 +2157,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2095,7 +2194,8 @@ "source.nat.port": 13462, "source.port": 53008, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2145,7 +2245,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2179,7 +2282,8 @@ "source.nat.port": 44892, "source.port": 53010, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2229,7 +2333,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2263,7 +2370,8 @@ "source.nat.port": 16487, "source.port": 53011, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2313,7 +2421,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2347,7 +2458,8 @@ "source.nat.port": 23952, "source.port": 53012, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2397,7 +2509,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2431,7 +2546,8 @@ "source.nat.port": 2810, "source.port": 53013, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2481,7 +2597,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2515,7 +2634,8 @@ "source.nat.port": 13272, "source.port": 53014, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2565,7 +2685,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2599,7 +2722,8 @@ "source.nat.port": 8663, "source.port": 53022, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2649,7 +2773,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2683,7 +2810,8 @@ "source.nat.port": 55738, "source.port": 53023, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2733,7 +2861,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2767,7 +2898,8 @@ "source.nat.port": 10650, "source.port": 53024, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2817,7 +2949,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2851,7 +2986,8 @@ "source.nat.port": 44087, "source.port": 53025, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2901,7 +3037,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "152.195.55.192", @@ -2935,7 +3074,8 @@ "source.nat.port": 15915, "source.port": 53026, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "consent.cmp.oath.com/" }, @@ -2985,7 +3125,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "151.101.2.2", @@ -3019,7 +3162,8 @@ "source.nat.port": 41165, "source.port": 53041, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "cdn.taboola.com/" }, @@ -3072,7 +3216,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.192.7.152", @@ -3106,7 +3253,8 @@ "source.nat.port": 54133, "source.port": 53040, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "rules.quantcount.com/" }, @@ -3159,7 +3307,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3193,7 +3344,8 @@ "source.nat.port": 8485, "source.port": 53093, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -3246,7 +3398,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3280,7 +3435,8 @@ "source.nat.port": 12496, "source.port": 53094, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -3333,7 +3489,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3367,7 +3526,8 @@ "source.nat.port": 17029, "source.port": 53095, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -3420,7 +3580,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3454,7 +3617,8 @@ "source.nat.port": 23696, "source.port": 53096, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -3507,7 +3671,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3541,7 +3708,8 @@ "source.nat.port": 34769, "source.port": 53097, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -3594,7 +3762,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3628,7 +3799,8 @@ "source.nat.port": 22486, "source.port": 53099, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -3681,7 +3853,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3715,7 +3890,8 @@ "source.nat.port": 12894, "source.port": 53100, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -3768,7 +3944,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3802,7 +3981,8 @@ "source.nat.port": 62348, "source.port": 53101, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -3855,7 +4035,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3889,7 +4072,8 @@ "source.nat.port": 6224, "source.port": 53104, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -3942,7 +4126,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -3976,7 +4163,8 @@ "source.nat.port": 44120, "source.port": 53107, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -4029,7 +4217,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -4063,7 +4254,8 @@ "source.nat.port": 44228, "source.port": 53108, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -4116,7 +4308,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.4.120.175", @@ -4150,7 +4345,8 @@ "source.nat.port": 31322, "source.port": 53109, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "srv-2018-11-30-22.config.parsely.com/" }, @@ -4203,7 +4399,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "216.58.194.98", @@ -4237,7 +4436,8 @@ "source.nat.port": 1672, "source.port": 53118, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "www.googleadservices.com/" }, @@ -4287,7 +4487,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4321,7 +4524,8 @@ "source.nat.port": 20801, "source.port": 53126, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -4371,7 +4575,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4405,7 +4612,8 @@ "source.nat.port": 24533, "source.port": 53127, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -4455,7 +4663,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4489,7 +4700,8 @@ "source.nat.port": 30150, "source.port": 53128, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -4539,7 +4751,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4573,7 +4788,8 @@ "source.nat.port": 36305, "source.port": 53129, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -4623,7 +4839,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4657,7 +4876,8 @@ "source.nat.port": 42682, "source.port": 53130, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -4707,7 +4927,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4741,7 +4964,8 @@ "source.nat.port": 22530, "source.port": 53131, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -4791,7 +5015,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4825,7 +5052,8 @@ "source.nat.port": 43713, "source.port": 53132, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -4875,7 +5103,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4909,7 +5140,8 @@ "source.nat.port": 60608, "source.port": 53133, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -4959,7 +5191,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -4993,7 +5228,8 @@ "source.nat.port": 9302, "source.port": 53134, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -5043,7 +5279,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.72.145.245", @@ -5077,7 +5316,8 @@ "source.nat.port": 11634, "source.port": 53135, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "service.maxymiser.net/" }, @@ -5130,7 +5370,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5164,7 +5407,8 @@ "source.nat.port": 30818, "source.port": 53152, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -5217,7 +5461,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5251,7 +5498,8 @@ "source.nat.port": 64260, "source.port": 53155, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -5304,7 +5552,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5338,7 +5589,8 @@ "source.nat.port": 7071, "source.port": 53158, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -5391,7 +5643,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5425,7 +5680,8 @@ "source.nat.port": 4512, "source.port": 53160, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -5478,7 +5734,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5512,7 +5771,8 @@ "source.nat.port": 3422, "source.port": 53161, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -5565,7 +5825,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5599,7 +5862,8 @@ "source.nat.port": 4651, "source.port": 53162, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -5652,7 +5916,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5686,7 +5953,8 @@ "source.nat.port": 19068, "source.port": 53163, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -5739,7 +6007,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5773,7 +6044,8 @@ "source.nat.port": 5831, "source.port": 53164, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -5826,7 +6098,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5860,7 +6135,8 @@ "source.nat.port": 7084, "source.port": 53165, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -5913,7 +6189,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -5947,7 +6226,8 @@ "source.nat.port": 18633, "source.port": 53166, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -6000,7 +6280,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -6034,7 +6317,8 @@ "source.nat.port": 25557, "source.port": 53167, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -6087,7 +6371,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -6121,7 +6408,8 @@ "source.nat.port": 20661, "source.port": 53150, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -6174,7 +6462,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -6208,7 +6499,8 @@ "source.nat.port": 65438, "source.port": 53185, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -6261,7 +6553,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -6295,7 +6590,8 @@ "source.nat.port": 53101, "source.port": 53187, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -6348,7 +6644,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -6382,7 +6681,8 @@ "source.nat.port": 35463, "source.port": 53188, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" }, @@ -6435,7 +6735,10 @@ "network.direction": "inbound", "network.transport": "tcp", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "block-url", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.209.101.70", @@ -6469,7 +6772,8 @@ "source.nat.port": 45769, "source.port": 53178, "tags": [ - "pan-os" + "pan-os", + "forwarded" ], "url.original": "segment-data.zqtk.net/" } diff --git a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json index 9e1333f9fb8..b2b1dc22adb 100644 --- a/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json +++ b/x-pack/filebeat/module/panw/panos/test/traffic.log-expected.json @@ -52,7 +52,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "184.51.253.152", @@ -87,7 +90,8 @@ "source.packets": 20, "source.port": 55113, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -143,7 +147,10 @@ "network.transport": "icmp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -178,7 +185,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -237,7 +245,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "17.253.3.202", @@ -272,7 +283,8 @@ "source.packets": 5, "source.port": 55114, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -328,7 +340,10 @@ "network.transport": "icmp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -363,7 +378,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -422,7 +438,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "216.58.194.99", @@ -457,7 +476,8 @@ "source.packets": 3, "source.port": 46774, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -513,7 +533,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "209.234.224.22", @@ -548,7 +571,8 @@ "source.packets": 51, "source.port": 52408, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -604,7 +628,10 @@ "network.transport": "icmp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -639,7 +666,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -695,7 +723,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "172.217.2.238", @@ -730,7 +761,8 @@ "source.packets": 9, "source.port": 59190, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -786,7 +818,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -821,7 +856,8 @@ "source.packets": 1, "source.port": 49728, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -877,7 +913,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -912,7 +951,8 @@ "source.packets": 1, "source.port": 50500, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -968,7 +1008,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "17.249.60.78", @@ -1003,7 +1046,8 @@ "source.packets": 16, "source.port": 55112, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1059,7 +1103,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1094,7 +1141,8 @@ "source.packets": 1, "source.port": 57632, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1150,7 +1198,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1185,7 +1236,8 @@ "source.packets": 1, "source.port": 50271, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1241,7 +1293,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1276,7 +1331,8 @@ "source.packets": 1, "source.port": 54061, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1332,7 +1388,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1367,7 +1426,8 @@ "source.packets": 1, "source.port": 52701, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1423,7 +1483,10 @@ "network.transport": "icmp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1458,7 +1521,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1514,7 +1578,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1549,7 +1616,8 @@ "source.packets": 1, "source.port": 62503, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1605,7 +1673,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "98.138.49.44", @@ -1640,7 +1711,8 @@ "source.packets": 13, "source.port": 52442, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1696,7 +1768,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "72.30.3.43", @@ -1731,7 +1806,8 @@ "source.packets": 11, "source.port": 52441, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1787,7 +1863,10 @@ "network.transport": "icmp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -1822,7 +1901,8 @@ "source.packets": 2, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1878,7 +1958,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "172.217.9.142", @@ -1913,7 +1996,8 @@ "source.packets": 17, "source.port": 52355, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -1969,7 +2053,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -2004,7 +2091,8 @@ "source.packets": 1, "source.port": 50196, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2063,7 +2151,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.84.80.198", @@ -2098,7 +2189,8 @@ "source.packets": 12, "source.port": 52454, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2155,7 +2247,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "199.167.55.52", @@ -2190,7 +2285,8 @@ "source.packets": 0, "source.port": 52445, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2246,7 +2342,10 @@ "network.transport": "icmp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -2281,7 +2380,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2334,7 +2434,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -2369,7 +2472,8 @@ "source.packets": 1, "source.port": 35485, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2422,7 +2526,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "172.217.9.142", @@ -2457,7 +2564,8 @@ "source.packets": 6, "source.port": 62730, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2513,7 +2621,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "151.101.2.2", @@ -2548,7 +2659,8 @@ "source.packets": 5, "source.port": 52506, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2607,7 +2719,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "216.58.194.66", @@ -2642,7 +2757,8 @@ "source.packets": 4, "source.port": 60596, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2698,7 +2814,10 @@ "network.transport": "icmp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -2733,7 +2852,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2789,7 +2909,10 @@ "network.transport": "icmp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -2824,7 +2947,8 @@ "source.packets": 2, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2880,7 +3004,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "184.51.253.193", @@ -2915,7 +3042,8 @@ "source.packets": 10, "source.port": 52514, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -2971,7 +3099,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -3006,7 +3137,8 @@ "source.packets": 1, "source.port": 55155, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3063,7 +3195,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "199.167.55.52", @@ -3098,7 +3233,8 @@ "source.packets": 0, "source.port": 52445, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3157,7 +3293,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "199.167.52.219", @@ -3192,7 +3331,8 @@ "source.packets": 9, "source.port": 52516, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3251,7 +3391,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.71.117.196", @@ -3286,7 +3429,8 @@ "source.packets": 19, "source.port": 52511, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3342,7 +3486,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -3377,7 +3524,8 @@ "source.packets": 1, "source.port": 3018, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3433,7 +3581,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -3468,7 +3619,8 @@ "source.packets": 1, "source.port": 16569, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3527,7 +3679,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.186.194.41", @@ -3562,7 +3717,8 @@ "source.packets": 20, "source.port": 52479, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3617,7 +3773,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.201.124.9", @@ -3652,7 +3811,8 @@ "source.packets": 41, "source.port": 52478, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3711,7 +3871,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "100.24.131.237", @@ -3746,7 +3909,8 @@ "source.packets": 15, "source.port": 52502, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3802,7 +3966,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "184.51.252.247", @@ -3837,7 +4004,8 @@ "source.packets": 7, "source.port": 52458, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3896,7 +4064,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.190.88.148", @@ -3931,7 +4102,8 @@ "source.packets": 16, "source.port": 52484, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -3990,7 +4162,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.186.243.83", @@ -4025,7 +4200,8 @@ "source.packets": 16, "source.port": 52482, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4081,7 +4257,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4116,7 +4295,8 @@ "source.packets": 1, "source.port": 33769, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4172,7 +4352,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4207,7 +4390,8 @@ "source.packets": 1, "source.port": 14106, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4266,7 +4450,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "100.24.165.74", @@ -4301,7 +4488,8 @@ "source.packets": 13, "source.port": 52503, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4357,7 +4545,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "184.51.252.247", @@ -4392,7 +4583,8 @@ "source.packets": 7, "source.port": 52459, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4447,7 +4639,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.201.94.140", @@ -4482,7 +4677,8 @@ "source.packets": 16, "source.port": 52483, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4538,7 +4734,10 @@ "network.transport": "icmp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4571,7 +4770,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4627,7 +4827,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4662,7 +4865,8 @@ "source.packets": 1, "source.port": 38663, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4718,7 +4922,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4753,7 +4960,8 @@ "source.packets": 1, "source.port": 50443, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4809,7 +5017,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4844,7 +5055,8 @@ "source.packets": 1, "source.port": 54215, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4900,7 +5112,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -4935,7 +5150,8 @@ "source.packets": 1, "source.port": 35827, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -4991,7 +5207,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5026,7 +5245,8 @@ "source.packets": 1, "source.port": 60609, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5082,7 +5302,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5117,7 +5340,8 @@ "source.packets": 1, "source.port": 3248, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5173,7 +5397,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5208,7 +5435,8 @@ "source.packets": 1, "source.port": 49284, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5264,7 +5492,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5299,7 +5530,8 @@ "source.packets": 1, "source.port": 57732, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5355,7 +5587,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5390,7 +5625,8 @@ "source.packets": 1, "source.port": 49195, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5446,7 +5682,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5481,7 +5720,8 @@ "source.packets": 1, "source.port": 17266, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5537,7 +5777,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5572,7 +5815,8 @@ "source.packets": 1, "source.port": 48631, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5628,7 +5872,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5663,7 +5910,8 @@ "source.packets": 1, "source.port": 58540, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5719,7 +5967,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5754,7 +6005,8 @@ "source.packets": 1, "source.port": 42678, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5813,7 +6065,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "66.28.0.45", @@ -5848,7 +6103,8 @@ "source.packets": 1, "source.port": 16576, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5904,7 +6160,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -5939,7 +6198,8 @@ "source.packets": 1, "source.port": 39830, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -5995,7 +6255,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6030,7 +6293,8 @@ "source.packets": 1, "source.port": 6185, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6086,7 +6350,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6121,7 +6388,8 @@ "source.packets": 1, "source.port": 8781, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6177,7 +6445,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6212,7 +6483,8 @@ "source.packets": 1, "source.port": 16788, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6268,7 +6540,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6303,7 +6578,8 @@ "source.packets": 1, "source.port": 45307, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6362,7 +6638,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "23.52.174.25", @@ -6397,7 +6676,8 @@ "source.packets": 5, "source.port": 52520, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6453,7 +6733,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6488,7 +6771,8 @@ "source.packets": 1, "source.port": 8503, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6544,7 +6828,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6579,7 +6866,8 @@ "source.packets": 1, "source.port": 6910, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6638,7 +6926,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "54.230.5.228", @@ -6673,7 +6964,8 @@ "source.packets": 4, "source.port": 52475, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6729,7 +7021,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6764,7 +7059,8 @@ "source.packets": 1, "source.port": 14342, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6820,7 +7116,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6855,7 +7154,8 @@ "source.packets": 1, "source.port": 48197, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -6911,7 +7211,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -6946,7 +7249,8 @@ "source.packets": 1, "source.port": 32296, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7002,7 +7306,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "208.83.246.20", @@ -7037,7 +7344,8 @@ "source.packets": 1, "source.port": 33870, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7092,7 +7400,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "drop-icmp", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7127,7 +7438,8 @@ "source.packets": 2, "source.port": 54659, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7182,7 +7494,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-client", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7217,7 +7532,8 @@ "source.packets": 1, "source.port": 57446, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7272,7 +7588,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-server", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7307,7 +7626,8 @@ "source.packets": 1, "source.port": 22655, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7364,7 +7684,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "reset-both", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "35.185.88.112", @@ -7399,7 +7722,8 @@ "source.packets": 11, "source.port": 52509, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7455,7 +7779,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7490,7 +7817,8 @@ "source.packets": 1, "source.port": 27192, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7546,7 +7874,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7581,7 +7912,8 @@ "source.packets": 1, "source.port": 30221, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7637,7 +7969,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -7672,7 +8007,8 @@ "source.packets": 1, "source.port": 30570, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7731,7 +8067,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "50.19.85.24", @@ -7766,7 +8105,8 @@ "source.packets": 7, "source.port": 52497, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7825,7 +8165,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "50.19.85.24", @@ -7860,7 +8203,8 @@ "source.packets": 7, "source.port": 52498, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -7919,7 +8263,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "50.19.85.24", @@ -7954,7 +8301,8 @@ "source.packets": 7, "source.port": 52496, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8010,7 +8358,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "104.254.150.9", @@ -8045,7 +8396,8 @@ "source.packets": 10, "source.port": 52510, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8104,7 +8456,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "50.19.85.24", @@ -8139,7 +8494,8 @@ "source.packets": 7, "source.port": 52495, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8198,7 +8554,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.0.218.108", @@ -8233,7 +8592,8 @@ "source.packets": 3, "source.port": 52486, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8292,7 +8652,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "52.6.117.19", @@ -8327,7 +8690,8 @@ "source.packets": 3, "source.port": 52489, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8386,7 +8750,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "34.238.96.22", @@ -8421,7 +8788,8 @@ "source.packets": 3, "source.port": 52490, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8480,7 +8848,10 @@ "network.transport": "tcp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "130.211.47.17", @@ -8515,7 +8886,8 @@ "source.packets": 4, "source.port": 52493, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8571,7 +8943,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -8606,7 +8981,8 @@ "source.packets": 1, "source.port": 59320, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8662,7 +9038,10 @@ "network.transport": "icmp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -8697,7 +9076,8 @@ "source.packets": 6, "source.port": 0, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8753,7 +9133,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -8788,7 +9171,8 @@ "source.packets": 1, "source.port": 13076, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8844,7 +9228,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -8879,7 +9266,8 @@ "source.packets": 1, "source.port": 5511, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -8935,7 +9323,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -8970,7 +9361,8 @@ "source.packets": 1, "source.port": 9799, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9026,7 +9418,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -9061,7 +9456,8 @@ "source.packets": 1, "source.port": 39169, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] }, { @@ -9117,7 +9513,10 @@ "network.transport": "udp", "network.type": "ipv4", "observer.hostname": "PA-220", + "observer.product": "PAN-OS", "observer.serial_number": "012801096514", + "observer.type": "firewall", + "observer.vendor": "Palo Alto Networks", "panw.panos.action": "allow", "panw.panos.destination.interface": "ethernet1/1", "panw.panos.destination.nat.ip": "8.8.8.8", @@ -9152,7 +9551,8 @@ "source.packets": 1, "source.port": 42476, "tags": [ - "pan-os" + "pan-os", + "forwarded" ] } ] \ No newline at end of file From 3bc2a5e5d736962e3de539093904330ad4781c9d Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Thu, 7 May 2020 17:04:39 -0400 Subject: [PATCH 2/3] Use 'forwarded' as the conventional tag --- filebeat/_meta/config/processors.yml.tmpl | 4 +- filebeat/filebeat.yml | 4 +- x-pack/filebeat/filebeat.yml | 4 +- .../module/aws/cloudtrail/config/file.yml | 2 +- .../module/aws/cloudtrail/config/s3.yml | 2 +- .../module/aws/cloudtrail/manifest.yml | 2 +- .../add-user-to-group-json.log-expected.json | 2 +- .../test/assume-role-json.log-expected.json | 2 +- .../change-password-json.log-expected.json | 4 +- .../test/console-login-json.log-expected.json | 6 +- .../create-access-key-json.log-expected.json | 2 +- .../test/create-group-json.log-expected.json | 4 +- .../create-key-pair-json.log-expected.json | 2 +- .../test/create-trail-json.log-expected.json | 2 +- .../test/create-user-json.log-expected.json | 2 +- ...-virtual-mfa-device-json.log-expected.json | 2 +- ...activate-mfa-device-json.log-expected.json | 2 +- .../delete-access-key-json.log-expected.json | 2 +- .../test/delete-bucket-json.log-expected.json | 2 +- .../test/delete-group-json.log-expected.json | 4 +- ...lete-ssh-public-key-json.log-expected.json | 2 +- .../test/delete-trail-json.log-expected.json | 2 +- .../test/delete-user-json.log-expected.json | 2 +- ...-virtual-mfa-device-json.log-expected.json | 2 +- .../enable-mfa-device-json.log-expected.json | 2 +- ...ove-user-from-group-json.log-expected.json | 2 +- .../test/start-logging-json.log-expected.json | 2 +- .../test/stop-logging-json.log-expected.json | 2 +- .../update-access-key-json.log-expected.json | 2 +- ...out-password-policy-json.log-expected.json | 2 +- .../test/update-group-json.log-expected.json | 4 +- ...pdate-login-profile-json.log-expected.json | 2 +- ...date-ssh-public-key-json.log-expected.json | 4 +- .../test/update-trail-json.log-expected.json | 4 +- .../test/update-user-json.log-expected.json | 2 +- ...load-ssh-public-key-json.log-expected.json | 2 +- .../module/aws/cloudwatch/config/file.yml | 2 +- .../module/aws/cloudwatch/config/s3.yml | 2 +- .../module/aws/cloudwatch/manifest.yml | 2 +- .../test/cloudwatch_ec2.log-expected.json | 12 +- .../filebeat/module/aws/ec2/config/file.yml | 2 +- x-pack/filebeat/module/aws/ec2/config/s3.yml | 2 +- x-pack/filebeat/module/aws/ec2/manifest.yml | 2 +- .../module/aws/ec2/test/ec2.log-expected.json | 12 +- .../filebeat/module/aws/elb/config/file.yml | 2 +- x-pack/filebeat/module/aws/elb/config/s3.yml | 2 +- x-pack/filebeat/module/aws/elb/manifest.yml | 2 +- .../application-lb-http.log-expected.json | 20 +- .../aws/elb/test/elb-http.log-expected.json | 10 +- .../aws/elb/test/elb-tcp.log-expected.json | 12 +- .../test/example-alb-http.log-expected.json | 18 +- .../elb/test/example-http.log-expected.json | 6 +- .../elb/test/example-https.log-expected.json | 2 +- .../test/example-nlb-tcp.log-expected.json | 2 +- .../elb/test/example-ssl.log-expected.json | 2 +- .../elb/test/example-tcp.log-expected.json | 4 +- .../module/aws/s3access/config/file.yml | 2 +- .../module/aws/s3access/config/s3.yml | 2 +- .../filebeat/module/aws/s3access/manifest.yml | 2 +- .../test/s3_server_access.log-expected.json | 12 +- .../aws/s3access/test/test.log-expected.json | 10 +- .../module/aws/vpcflow/config/input.yml | 2 +- .../filebeat/module/aws/vpcflow/manifest.yml | 2 +- .../accept-reject-traffic.log-expected.json | 8 +- .../test/custom-nat-gateway.log-expected.json | 4 +- .../custom-transit-gateway.log-expected.json | 2 +- .../aws/vpcflow/test/ipv6.log-expected.json | 2 +- .../test/no-data-skip-data.log-expected.json | 4 +- .../test/tcp-flag-sequence.log-expected.json | 2 +- .../activitylogs/config/azure-eventhub.yml | 2 +- .../module/azure/activitylogs/config/file.yml | 2 +- .../module/azure/activitylogs/manifest.yml | 2 +- .../test/activitylogs.log-expected.json | 2 +- .../azure/auditlogs/config/azure-eventhub.yml | 2 +- .../module/azure/auditlogs/config/file.yml | 2 +- .../module/azure/auditlogs/manifest.yml | 2 +- .../test/auditlogs.log-expected.json | 2 +- .../signinlogs/config/azure-eventhub.yml | 2 +- .../module/azure/signinlogs/config/file.yml | 2 +- .../module/azure/signinlogs/manifest.yml | 2 +- .../test/signinlogs.log-expected.json | 2 +- .../module/googlecloud/audit/config/input.yml | 2 +- .../module/googlecloud/audit/manifest.yml | 2 +- .../audit-log-entries.json.log-expected.json | 8 +- .../googlecloud/firewall/config/input.yml | 2 +- .../module/googlecloud/firewall/manifest.yml | 2 +- .../firewall/test/rare.log-expected.json | 4 +- .../firewall/test/test.log-expected.json | 40 ++-- .../googlecloud/vpcflow/config/input.yml | 2 +- .../module/googlecloud/vpcflow/manifest.yml | 2 +- ...pc-flow-log-entries.json.log-expected.json | 200 +++++++++--------- .../module/o365/audit/config/input.yml | 2 +- .../filebeat/module/o365/audit/manifest.yml | 2 +- .../test/01-exchange-admin.log-expected.json | 200 +++++++++--------- .../test/02-exchange-item.log-expected.json | 18 +- .../test/04-sharepoint.log-expected.json | 8 +- .../06-sharepointfileop.log-expected.json | 22 +- .../audit/test/08-azuread.log-expected.json | 200 +++++++++--------- .../test/11-dlp-sharepoint.log-expected.json | 14 +- .../test/13-dlp-exchange.log-expected.json | 12 +- .../test/14-sp-sharing-op.log-expected.json | 20 +- .../15-azuread-sts-logon.log-expected.json | 138 ++++++------ .../audit/test/22-yammer.log-expected.json | 4 +- .../audit/test/25-ms-teams.log-expected.json | 8 +- .../test/40-sec-comp-alerts.log-expected.json | 6 +- .../52-data-insights-api.log-expected.json | 18 +- .../module/okta/system/config/input.yml | 2 +- .../filebeat/module/okta/system/manifest.yml | 2 +- .../okta-system-test.json.log-expected.json | 6 +- 109 files changed, 615 insertions(+), 621 deletions(-) diff --git a/filebeat/_meta/config/processors.yml.tmpl b/filebeat/_meta/config/processors.yml.tmpl index fee0a19cb60..26da2cbe74f 100644 --- a/filebeat/_meta/config/processors.yml.tmpl +++ b/filebeat/_meta/config/processors.yml.tmpl @@ -1,9 +1,7 @@ {{header "Processors"}} processors: - add_host_metadata: - when.not.or: - - contains.tags: cloud - - contains.tags: forwarded + when.not.contains.tags: forwarded - add_cloud_metadata: ~ - add_docker_metadata: ~ - add_kubernetes_metadata: ~ diff --git a/filebeat/filebeat.yml b/filebeat/filebeat.yml index c6b52f50619..9dbcc8f6c64 100644 --- a/filebeat/filebeat.yml +++ b/filebeat/filebeat.yml @@ -174,9 +174,7 @@ output.elasticsearch: # ================================= Processors ================================= processors: - add_host_metadata: - when.not.or: - - contains.tags: cloud - - contains.tags: forwarded + when.not.contains.tags: forwarded - add_cloud_metadata: ~ - add_docker_metadata: ~ - add_kubernetes_metadata: ~ diff --git a/x-pack/filebeat/filebeat.yml b/x-pack/filebeat/filebeat.yml index c6b52f50619..9dbcc8f6c64 100644 --- a/x-pack/filebeat/filebeat.yml +++ b/x-pack/filebeat/filebeat.yml @@ -174,9 +174,7 @@ output.elasticsearch: # ================================= Processors ================================= processors: - add_host_metadata: - when.not.or: - - contains.tags: cloud - - contains.tags: forwarded + when.not.contains.tags: forwarded - add_cloud_metadata: ~ - add_docker_metadata: ~ - add_kubernetes_metadata: ~ diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/file.yml b/x-pack/filebeat/module/aws/cloudtrail/config/file.yml index b80698e7051..5a56f210c79 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/config/file.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/config/file.yml @@ -5,7 +5,7 @@ paths: {{ end }} exclude_files: [".gz$"] tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_fields: diff --git a/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml b/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml index 176789e9e06..2a6f38d1fad 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/config/s3.yml @@ -39,7 +39,7 @@ role_arn: {{ .role_arn }} {{ end }} tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_fields: diff --git a/x-pack/filebeat/module/aws/cloudtrail/manifest.yml b/x-pack/filebeat/module/aws/cloudtrail/manifest.yml index 774964c2f49..2878c79936d 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/manifest.yml +++ b/x-pack/filebeat/module/aws/cloudtrail/manifest.yml @@ -14,7 +14,7 @@ var: - name: session_token - name: role_arn - name: tags - default: [cloud] + default: [forwarded] ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json index bc301dd3fb4..316ddd56146 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/add-user-to-group-json.log-expected.json @@ -28,7 +28,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json index 6a236c97c21..39eb927bc8a 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/assume-role-json.log-expected.json @@ -35,7 +35,7 @@ "source.geo.region_name": "Chongqing", "source.ip": "123.145.67.89", "tags": [ - "cloud" + "forwarded" ], "user.id": "AROAIN5ATK5U7KEXAMPLE:JohnRole1", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json index 58e03e3bfa6..e6903e9d78d 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/change-password-json.log-expected.json @@ -27,7 +27,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "0123456789012", "user.name": "Alice", @@ -62,7 +62,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "0123456789012", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json index c32cfe18198..670a6dfd8b5 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/console-login-json.log-expected.json @@ -28,7 +28,7 @@ "source.address": "192.0.2.110", "source.ip": "192.0.2.110", "tags": [ - "cloud" + "forwarded" ], "user.id": "AIDACKCEVSQ6C2EXAMPLE", "user.name": "JohnDoe", @@ -70,7 +70,7 @@ "source.address": "192.0.2.100", "source.ip": "192.0.2.100", "tags": [ - "cloud" + "forwarded" ], "user.id": "AIDACKCEVSQ6C2EXAMPLE", "user.name": "JaneDoe", @@ -118,7 +118,7 @@ "source.address": "192.0.2.100", "source.ip": "192.0.2.100", "tags": [ - "cloud" + "forwarded" ], "user.id": "AROAIDPPEZS35WEXAMPLE:AssumedRoleSessionName", "user.name": "RoleToBeAssumed", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json index 3aa2ab09f17..892de5848b6 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-access-key-json.log-expected.json @@ -33,7 +33,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json index 82c33d3b896..1edd9a07ab1 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-group-json.log-expected.json @@ -30,7 +30,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "0123456789012", "user.name": "Alice", @@ -67,7 +67,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "0123456789012", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json index 60f6a4c6663..8330d7b5135 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-key-pair-json.log-expected.json @@ -33,7 +33,7 @@ "source.geo.region_name": "Virginia", "source.ip": "72.21.198.64", "tags": [ - "cloud" + "forwarded" ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json index 88dd494e9ba..fda411e58d4 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-trail-json.log-expected.json @@ -31,7 +31,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json index 0c53b7defd5..4d73d319fdb 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-user-json.log-expected.json @@ -27,7 +27,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json index 27c2f3be030..4f055c52f3f 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/create-virtual-mfa-device-json.log-expected.json @@ -29,7 +29,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json index ba60076503e..d15582a8d76 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/deactivate-mfa-device-json.log-expected.json @@ -32,7 +32,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json index e00bb042198..abcfae25b82 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-access-key-json.log-expected.json @@ -32,7 +32,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json index 004c95257d8..c7ed41a19c5 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-bucket-json.log-expected.json @@ -28,7 +28,7 @@ "source.address": "192.0.2.1", "source.ip": "192.0.2.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "AIDAQRSTUVWXYZEXAMPLE:devdsk", "user_agent.device.name": "Spider", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json index 98c21fa1b3d..9ad99a507a6 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-group-json.log-expected.json @@ -29,7 +29,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "0123456789012", "user.name": "Alice", @@ -66,7 +66,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_PRINCIPLE", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json index f509495d499..e6dd520a96d 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-ssh-public-key-json.log-expected.json @@ -32,7 +32,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json index ec5abd05e25..48e2714075c 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-trail-json.log-expected.json @@ -27,7 +27,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json index e11b61af4a4..b05c343b039 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-user-json.log-expected.json @@ -32,7 +32,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json index 13b67017a66..dec4fb376e5 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/delete-virtual-mfa-device-json.log-expected.json @@ -29,7 +29,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json index 05de75f2fe1..670a8bf85da 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/enable-mfa-device-json.log-expected.json @@ -31,7 +31,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json index 089c152669e..7bac448522f 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/remove-user-from-group-json.log-expected.json @@ -32,7 +32,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json index 47ef901ef20..2fe5ca36f20 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/start-logging-json.log-expected.json @@ -30,7 +30,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json index 41b5d2802b1..392b10b690b 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/stop-logging-json.log-expected.json @@ -30,7 +30,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json index b28c382f2f9..c892d1968ff 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-access-key-json.log-expected.json @@ -32,7 +32,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json index 944c843e78f..6d01d7de36f 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-accout-password-policy-json.log-expected.json @@ -29,7 +29,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json index cae0aebcfda..94c01261460 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-group-json.log-expected.json @@ -26,7 +26,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "0123456789012", "user.name": "Alice", @@ -64,7 +64,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "0123456789012", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json index fa962e1a918..381986a0e25 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-login-profile-json.log-expected.json @@ -32,7 +32,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json index 64ca82a5697..69f928b7abc 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-ssh-public-key-json.log-expected.json @@ -32,7 +32,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", @@ -73,7 +73,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json index 88637b379a7..bb67237971e 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-trail-json.log-expected.json @@ -35,7 +35,7 @@ "source.geo.region_name": "Oregon", "source.ip": "205.251.233.182", "tags": [ - "cloud" + "forwarded" ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", @@ -77,7 +77,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json index 85ed8870e54..2c97ff455df 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/update-user-json.log-expected.json @@ -30,7 +30,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EX_PRINCIPAL_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json index 947d2c0aeb4..a111370b004 100644 --- a/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudtrail/test/upload-ssh-public-key-json.log-expected.json @@ -33,7 +33,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "tags": [ - "cloud" + "forwarded" ], "user.id": "EXAMPLE_ID", "user.name": "Alice", diff --git a/x-pack/filebeat/module/aws/cloudwatch/config/file.yml b/x-pack/filebeat/module/aws/cloudwatch/config/file.yml index b80698e7051..5a56f210c79 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/config/file.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/config/file.yml @@ -5,7 +5,7 @@ paths: {{ end }} exclude_files: [".gz$"] tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_fields: diff --git a/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml b/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml index ca998a4e1d1..073eca58ab2 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/config/s3.yml @@ -38,7 +38,7 @@ role_arn: {{ .role_arn }} {{ end }} tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_fields: diff --git a/x-pack/filebeat/module/aws/cloudwatch/manifest.yml b/x-pack/filebeat/module/aws/cloudwatch/manifest.yml index 774964c2f49..2878c79936d 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/manifest.yml +++ b/x-pack/filebeat/module/aws/cloudwatch/manifest.yml @@ -14,7 +14,7 @@ var: - name: session_token - name: role_arn - name: tags - default: [cloud] + default: [forwarded] ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log-expected.json b/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log-expected.json index 7520b2763f5..42cf5fb35dc 100644 --- a/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log-expected.json +++ b/x-pack/filebeat/module/aws/cloudwatch/test/cloudwatch_ec2.log-expected.json @@ -10,7 +10,7 @@ "message": "2020-02-20T07:01:01.000Z Feb 20 07:01:01 ip-172-31-81-156 systemd: Stopping User Slice of root.", "service.type": "aws", "tags": [ - "cloud" + "forwarded" ] }, { @@ -24,7 +24,7 @@ "message": "2020-02-20T07:02:18.000Z Feb 20 07:02:18 ip-172-31-81-156 dhclient[3000]: XMT: Solicit on eth0, interval 125240ms.", "service.type": "aws", "tags": [ - "cloud" + "forwarded" ] }, { @@ -38,7 +38,7 @@ "message": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPREQUEST on eth0 to 172.31.80.1 port 67 (xid=0x4575af22)", "service.type": "aws", "tags": [ - "cloud" + "forwarded" ] }, { @@ -52,7 +52,7 @@ "message": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: DHCPACK from 172.31.80.1 (xid=0x4575af22)", "service.type": "aws", "tags": [ - "cloud" + "forwarded" ] }, { @@ -66,7 +66,7 @@ "message": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 dhclient[2898]: bound to 172.31.81.156 -- renewal in 1599 seconds.", "service.type": "aws", "tags": [ - "cloud" + "forwarded" ] }, { @@ -80,7 +80,7 @@ "message": "2020-02-20T07:02:37.000Z Feb 20 07:02:37 ip-172-31-81-156 ec2net: [get_meta] Trying to get http://169.254.169.254/latest/meta-data/network/interfaces/macs/12:e2:a9:95:8b:97/local-ipv4s", "service.type": "aws", "tags": [ - "cloud" + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/ec2/config/file.yml b/x-pack/filebeat/module/aws/ec2/config/file.yml index b80698e7051..5a56f210c79 100644 --- a/x-pack/filebeat/module/aws/ec2/config/file.yml +++ b/x-pack/filebeat/module/aws/ec2/config/file.yml @@ -5,7 +5,7 @@ paths: {{ end }} exclude_files: [".gz$"] tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_fields: diff --git a/x-pack/filebeat/module/aws/ec2/config/s3.yml b/x-pack/filebeat/module/aws/ec2/config/s3.yml index ca998a4e1d1..073eca58ab2 100644 --- a/x-pack/filebeat/module/aws/ec2/config/s3.yml +++ b/x-pack/filebeat/module/aws/ec2/config/s3.yml @@ -38,7 +38,7 @@ role_arn: {{ .role_arn }} {{ end }} tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_fields: diff --git a/x-pack/filebeat/module/aws/ec2/manifest.yml b/x-pack/filebeat/module/aws/ec2/manifest.yml index 774964c2f49..2878c79936d 100644 --- a/x-pack/filebeat/module/aws/ec2/manifest.yml +++ b/x-pack/filebeat/module/aws/ec2/manifest.yml @@ -14,7 +14,7 @@ var: - name: session_token - name: role_arn - name: tags - default: [cloud] + default: [forwarded] ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/ec2/test/ec2.log-expected.json b/x-pack/filebeat/module/aws/ec2/test/ec2.log-expected.json index 60ae1b62a53..b00d6950ee4 100644 --- a/x-pack/filebeat/module/aws/ec2/test/ec2.log-expected.json +++ b/x-pack/filebeat/module/aws/ec2/test/ec2.log-expected.json @@ -11,7 +11,7 @@ "process.name": "systemd", "service.type": "aws", "tags": [ - "cloud" + "forwarded" ] }, { @@ -27,7 +27,7 @@ "process.pid": "3000", "service.type": "aws", "tags": [ - "cloud" + "forwarded" ] }, { @@ -43,7 +43,7 @@ "process.pid": "2898", "service.type": "aws", "tags": [ - "cloud" + "forwarded" ] }, { @@ -59,7 +59,7 @@ "process.pid": "2898", "service.type": "aws", "tags": [ - "cloud" + "forwarded" ] }, { @@ -75,7 +75,7 @@ "process.pid": "2898", "service.type": "aws", "tags": [ - "cloud" + "forwarded" ] }, { @@ -90,7 +90,7 @@ "process.name": "ec2net", "service.type": "aws", "tags": [ - "cloud" + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/elb/config/file.yml b/x-pack/filebeat/module/aws/elb/config/file.yml index dd115d9b78b..498a7906457 100644 --- a/x-pack/filebeat/module/aws/elb/config/file.yml +++ b/x-pack/filebeat/module/aws/elb/config/file.yml @@ -5,7 +5,7 @@ paths: {{ end }} exclude_files: [".gz$"] tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_fields: diff --git a/x-pack/filebeat/module/aws/elb/config/s3.yml b/x-pack/filebeat/module/aws/elb/config/s3.yml index ca998a4e1d1..073eca58ab2 100644 --- a/x-pack/filebeat/module/aws/elb/config/s3.yml +++ b/x-pack/filebeat/module/aws/elb/config/s3.yml @@ -38,7 +38,7 @@ role_arn: {{ .role_arn }} {{ end }} tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_fields: diff --git a/x-pack/filebeat/module/aws/elb/manifest.yml b/x-pack/filebeat/module/aws/elb/manifest.yml index 5ecd7ac5cfe..f823ccbacce 100644 --- a/x-pack/filebeat/module/aws/elb/manifest.yml +++ b/x-pack/filebeat/module/aws/elb/manifest.yml @@ -14,7 +14,7 @@ var: - name: session_token - name: role_arn - name: tags - default: [cloud] + default: [forwarded] ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json index ee4c5539c50..eddf8ae9c5a 100644 --- a/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/application-lb-http.log-expected.json @@ -42,7 +42,7 @@ "source.ip": "77.227.156.41", "source.port": "56398", "tags": [ - "cloud" + "forwarded" ], "tracing.trace.id": "Root=1-5da09932-2c342a443bfb96249aa50ed7", "user_agent.original": "curl/7.58.0" @@ -90,7 +90,7 @@ "source.ip": "77.227.156.41", "source.port": "56488", "tags": [ - "cloud" + "forwarded" ], "tracing.trace.id": "Root=1-5da09954-2c342a443bfb96249aa50ed7", "user_agent.original": "curl/7.58.0" @@ -138,7 +138,7 @@ "source.ip": "77.227.156.41", "source.port": "56416", "tags": [ - "cloud" + "forwarded" ], "tracing.trace.id": "Root=1-5da09938-d9c72660e247c36070017828", "user_agent.original": "curl/7.58.0" @@ -186,7 +186,7 @@ "source.ip": "77.227.156.41", "source.port": "56448", "tags": [ - "cloud" + "forwarded" ], "tracing.trace.id": "Root=1-5da09945-0eaa8050df7d96f84806ded0", "user_agent.original": "curl/7.58.0" @@ -234,7 +234,7 @@ "source.ip": "77.227.156.41", "source.port": "56602", "tags": [ - "cloud" + "forwarded" ], "tracing.trace.id": "Root=1-5da0997a-5add00b04bc8ae20ae96d9f0", "user_agent.original": "curl/7.58.0" @@ -282,7 +282,7 @@ "source.ip": "77.227.156.41", "source.port": "56638", "tags": [ - "cloud" + "forwarded" ], "tracing.trace.id": "Root=1-5da09987-cc391940b332434860dfa848", "user_agent.original": "curl/7.58.0" @@ -330,7 +330,7 @@ "source.ip": "77.227.156.41", "source.port": "37632", "tags": [ - "cloud" + "forwarded" ], "tracing.trace.id": "Root=1-5da099cb-3d3b17eb2b75373f4c0c36c5", "user_agent.original": "curl/7.58.0" @@ -382,7 +382,7 @@ "source.ip": "77.227.156.41", "source.port": "37838", "tags": [ - "cloud" + "forwarded" ], "tracing.trace.id": "Root=1-5da0a5dd-4d9a423a0e9a782fe2f390af", "user_agent.original": "curl/7.58.0" @@ -434,7 +434,7 @@ "source.ip": "77.227.156.41", "source.port": "37850", "tags": [ - "cloud" + "forwarded" ], "tracing.trace.id": "Root=1-5da0a5df-7d64cabe9955b4df9acc800a", "user_agent.original": "curl/7.58.0" @@ -486,7 +486,7 @@ "source.ip": "77.227.156.41", "source.port": "37856", "tags": [ - "cloud" + "forwarded" ], "tracing.trace.id": "Root=1-5da0a5df-7c958e828ff43b63d0e0fac4", "user_agent.original": "curl/7.58.0" diff --git a/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json index 36b697498ef..a0d7a291196 100644 --- a/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/elb-http.log-expected.json @@ -38,7 +38,7 @@ "source.ip": "78.24.182.42", "source.port": "54106", "tags": [ - "cloud" + "forwarded" ], "user_agent.original": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" }, @@ -81,7 +81,7 @@ "source.ip": "31.135.65.4", "source.port": "54001", "tags": [ - "cloud" + "forwarded" ], "user_agent.original": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36" }, @@ -124,7 +124,7 @@ "source.ip": "77.227.156.41", "source.port": "52406", "tags": [ - "cloud" + "forwarded" ], "user_agent.original": "curl/7.58.0" }, @@ -167,7 +167,7 @@ "source.ip": "77.227.156.41", "source.port": "52410", "tags": [ - "cloud" + "forwarded" ], "user_agent.original": "curl/7.58.0" }, @@ -210,7 +210,7 @@ "source.ip": "77.227.156.41", "source.port": "52414", "tags": [ - "cloud" + "forwarded" ], "user_agent.original": "curl/7.58.0" } diff --git a/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json index 47a50ccecf9..8b394e2b07e 100644 --- a/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/elb-tcp.log-expected.json @@ -32,7 +32,7 @@ "source.ip": "77.227.156.41", "source.port": "51600", "tags": [ - "cloud" + "forwarded" ] }, { @@ -68,7 +68,7 @@ "source.ip": "77.227.156.41", "source.port": "51726", "tags": [ - "cloud" + "forwarded" ] }, { @@ -104,7 +104,7 @@ "source.ip": "77.227.156.41", "source.port": "51734", "tags": [ - "cloud" + "forwarded" ] }, { @@ -140,7 +140,7 @@ "source.ip": "77.227.156.41", "source.port": "51738", "tags": [ - "cloud" + "forwarded" ] }, { @@ -176,7 +176,7 @@ "source.ip": "77.227.156.41", "source.port": "46288", "tags": [ - "cloud" + "forwarded" ] }, { @@ -212,7 +212,7 @@ "source.ip": "77.227.156.41", "source.port": "46304", "tags": [ - "cloud" + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json index fc916f87a3e..3310b9d35c5 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-alb-http.log-expected.json @@ -37,7 +37,7 @@ "source.ip": "192.168.131.39", "source.port": "2817", "tags": [ - "cloud" + "forwarded" ], "tracing.trace.id": "Root=1-58337262-36d228ad5d99923122bbe354", "user_agent.original": "curl/7.46.0" @@ -85,7 +85,7 @@ "source.ip": "192.168.131.39", "source.port": "2817", "tags": [ - "cloud" + "forwarded" ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.2", @@ -134,7 +134,7 @@ "source.ip": "10.0.1.252", "source.port": "48160", "tags": [ - "cloud" + "forwarded" ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.2", @@ -180,7 +180,7 @@ "source.ip": "10.0.0.140", "source.port": "40914", "tags": [ - "cloud" + "forwarded" ], "tracing.trace.id": "Root=1-58337364-23a8c76965a2ef7629b185e3", "user_agent.original": "-" @@ -217,7 +217,7 @@ "source.ip": "10.0.0.140", "source.port": "44244", "tags": [ - "cloud" + "forwarded" ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.2", @@ -260,7 +260,7 @@ "source.ip": "192.168.131.39", "source.port": "2817", "tags": [ - "cloud" + "forwarded" ], "tracing.trace.id": "Root=1-58337364-23a8c76965a2ef7629b185e3", "user_agent.original": "curl/7.46.0" @@ -301,7 +301,7 @@ "source.ip": "192.168.131.39", "source.port": "2817", "tags": [ - "cloud" + "forwarded" ], "tracing.trace.id": "Root=1-58337364-23a8c76965a2ef7629b185e3", "user_agent.original": "curl/7.46.0" @@ -333,7 +333,7 @@ "source.ip": "192.168.131.39", "source.port": "2817", "tags": [ - "cloud" + "forwarded" ], "tracing.trace.id": "-", "user_agent.original": "-" @@ -364,7 +364,7 @@ "source.ip": "192.168.131.39", "source.port": "2817", "tags": [ - "cloud" + "forwarded" ], "tracing.trace.id": "-", "user_agent.original": "-" diff --git a/x-pack/filebeat/module/aws/elb/test/example-http.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-http.log-expected.json index 4d039e3a34c..21ede75caab 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-http.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-http.log-expected.json @@ -29,7 +29,7 @@ "source.ip": "192.168.131.39", "source.port": "2817", "tags": [ - "cloud" + "forwarded" ], "user_agent.original": "curl/7.38.0" }, @@ -57,7 +57,7 @@ "source.ip": "192.168.131.39", "source.port": "2817", "tags": [ - "cloud" + "forwarded" ], "user_agent.original": "curl/7.38.0" }, @@ -84,7 +84,7 @@ "source.ip": "192.168.131.39", "source.port": "2817", "tags": [ - "cloud" + "forwarded" ], "user_agent.original": "-" } diff --git a/x-pack/filebeat/module/aws/elb/test/example-https.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-https.log-expected.json index f3431eec5ea..8efd9e000bb 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-https.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-https.log-expected.json @@ -31,7 +31,7 @@ "source.ip": "192.168.131.39", "source.port": "2817", "tags": [ - "cloud" + "forwarded" ], "tls.cipher": "DHE-RSA-AES128-SHA", "tls.version": "1.2", diff --git a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json index 8421e2490aa..e9564154424 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-nlb-tcp.log-expected.json @@ -37,7 +37,7 @@ "source.ip": "72.21.218.154", "source.port": "51341", "tags": [ - "cloud" + "forwarded" ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", diff --git a/x-pack/filebeat/module/aws/elb/test/example-ssl.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-ssl.log-expected.json index 1631ca8436f..acdbaa6f9b6 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-ssl.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-ssl.log-expected.json @@ -25,7 +25,7 @@ "source.ip": "192.168.131.39", "source.port": "2817", "tags": [ - "cloud" + "forwarded" ], "tls.cipher": "ECDHE-ECDSA-AES128-GCM-SHA256", "tls.version": "1.2", diff --git a/x-pack/filebeat/module/aws/elb/test/example-tcp.log-expected.json b/x-pack/filebeat/module/aws/elb/test/example-tcp.log-expected.json index cbbfcd5c2d7..20e2c101ed7 100644 --- a/x-pack/filebeat/module/aws/elb/test/example-tcp.log-expected.json +++ b/x-pack/filebeat/module/aws/elb/test/example-tcp.log-expected.json @@ -23,7 +23,7 @@ "source.ip": "192.168.131.39", "source.port": "2817", "tags": [ - "cloud" + "forwarded" ] }, { @@ -45,7 +45,7 @@ "source.ip": "192.168.131.39", "source.port": "2817", "tags": [ - "cloud" + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/s3access/config/file.yml b/x-pack/filebeat/module/aws/s3access/config/file.yml index dd115d9b78b..498a7906457 100644 --- a/x-pack/filebeat/module/aws/s3access/config/file.yml +++ b/x-pack/filebeat/module/aws/s3access/config/file.yml @@ -5,7 +5,7 @@ paths: {{ end }} exclude_files: [".gz$"] tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_fields: diff --git a/x-pack/filebeat/module/aws/s3access/config/s3.yml b/x-pack/filebeat/module/aws/s3access/config/s3.yml index ca998a4e1d1..073eca58ab2 100644 --- a/x-pack/filebeat/module/aws/s3access/config/s3.yml +++ b/x-pack/filebeat/module/aws/s3access/config/s3.yml @@ -38,7 +38,7 @@ role_arn: {{ .role_arn }} {{ end }} tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - add_fields: diff --git a/x-pack/filebeat/module/aws/s3access/manifest.yml b/x-pack/filebeat/module/aws/s3access/manifest.yml index 774964c2f49..2878c79936d 100644 --- a/x-pack/filebeat/module/aws/s3access/manifest.yml +++ b/x-pack/filebeat/module/aws/s3access/manifest.yml @@ -14,7 +14,7 @@ var: - name: session_token - name: role_arn - name: tags - default: [cloud] + default: [forwarded] ingest_pipeline: ingest/pipeline.yml input: config/{{.input}}.yml diff --git a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json index ff117b32a06..273b1512556 100644 --- a/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json +++ b/x-pack/filebeat/module/aws/s3access/test/s3_server_access.log-expected.json @@ -48,7 +48,7 @@ ], "service.type": "aws", "tags": [ - "cloud" + "forwarded" ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", @@ -110,7 +110,7 @@ ], "service.type": "aws", "tags": [ - "cloud" + "forwarded" ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", @@ -173,7 +173,7 @@ ], "service.type": "aws", "tags": [ - "cloud" + "forwarded" ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", @@ -235,7 +235,7 @@ ], "service.type": "aws", "tags": [ - "cloud" + "forwarded" ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", @@ -294,7 +294,7 @@ ], "service.type": "aws", "tags": [ - "cloud" + "forwarded" ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", @@ -346,7 +346,7 @@ ], "service.type": "aws", "tags": [ - "cloud" + "forwarded" ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.2", diff --git a/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json b/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json index c815f5156f9..fb6c38fb108 100644 --- a/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json +++ b/x-pack/filebeat/module/aws/s3access/test/test.log-expected.json @@ -41,7 +41,7 @@ ], "service.type": "aws", "tags": [ - "cloud" + "forwarded" ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", @@ -92,7 +92,7 @@ ], "service.type": "aws", "tags": [ - "cloud" + "forwarded" ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", @@ -145,7 +145,7 @@ ], "service.type": "aws", "tags": [ - "cloud" + "forwarded" ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", @@ -196,7 +196,7 @@ ], "service.type": "aws", "tags": [ - "cloud" + "forwarded" ], "tls.cipher": "ECDHE-RSA-AES128-GCM-SHA256", "tls.version": "1.1", @@ -249,7 +249,7 @@ ], "service.type": "aws", "tags": [ - "cloud" + "forwarded" ], "tls.cipher": "ECDHE-RSA-AES128-SHA", "tls.version": "1.1", diff --git a/x-pack/filebeat/module/aws/vpcflow/config/input.yml b/x-pack/filebeat/module/aws/vpcflow/config/input.yml index 57a97aa886e..c9e88b6a743 100644 --- a/x-pack/filebeat/module/aws/vpcflow/config/input.yml +++ b/x-pack/filebeat/module/aws/vpcflow/config/input.yml @@ -50,7 +50,7 @@ exclude_files: [".gz$"] {{ end }} tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - drop_event: diff --git a/x-pack/filebeat/module/aws/vpcflow/manifest.yml b/x-pack/filebeat/module/aws/vpcflow/manifest.yml index 4b50161da99..c7df14a4050 100644 --- a/x-pack/filebeat/module/aws/vpcflow/manifest.yml +++ b/x-pack/filebeat/module/aws/vpcflow/manifest.yml @@ -14,7 +14,7 @@ var: - name: session_token - name: role_arn - name: tags - default: [cloud] + default: [forwarded] ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json index 70f0bd1e835..170b8851ec9 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/accept-reject-traffic.log-expected.json @@ -55,7 +55,7 @@ "source.packets": 20, "source.port": 20641, "tags": [ - "cloud" + "forwarded" ] }, { @@ -114,7 +114,7 @@ "source.packets": 20, "source.port": 49761, "tags": [ - "cloud" + "forwarded" ] }, { @@ -157,7 +157,7 @@ "source.packets": 4, "source.port": 0, "tags": [ - "cloud" + "forwarded" ] }, { @@ -200,7 +200,7 @@ "source.packets": 4, "source.port": 0, "tags": [ - "cloud" + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/vpcflow/test/custom-nat-gateway.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/custom-nat-gateway.log-expected.json index b8e660f4f58..d508bd63479 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/custom-nat-gateway.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/custom-nat-gateway.log-expected.json @@ -25,7 +25,7 @@ "source.address": "10.0.1.5", "source.ip": "10.0.1.5", "tags": [ - "cloud" + "forwarded" ] }, { @@ -55,7 +55,7 @@ "source.address": "10.0.1.5", "source.ip": "10.0.1.5", "tags": [ - "cloud" + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/vpcflow/test/custom-transit-gateway.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/custom-transit-gateway.log-expected.json index a822c8ed25a..0a8feef3be5 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/custom-transit-gateway.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/custom-transit-gateway.log-expected.json @@ -41,7 +41,7 @@ "source.ip": "10.20.33.164", "source.port": 39812, "tags": [ - "cloud" + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/vpcflow/test/ipv6.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/ipv6.log-expected.json index 47c65c5d734..ac0ead951e9 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/ipv6.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/ipv6.log-expected.json @@ -40,7 +40,7 @@ "source.packets": 54, "source.port": 34892, "tags": [ - "cloud" + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/vpcflow/test/no-data-skip-data.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/no-data-skip-data.log-expected.json index 081d0b654ca..22705d87101 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/no-data-skip-data.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/no-data-skip-data.log-expected.json @@ -21,7 +21,7 @@ "log.offset": 0, "service.type": "aws", "tags": [ - "cloud" + "forwarded" ] }, { @@ -46,7 +46,7 @@ "log.offset": 82, "service.type": "aws", "tags": [ - "cloud" + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json index d65139843f3..6b7b788ac97 100644 --- a/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json +++ b/x-pack/filebeat/module/aws/vpcflow/test/tcp-flag-sequence.log-expected.json @@ -57,7 +57,7 @@ "source.packets": 8, "source.port": 43416, "tags": [ - "cloud" + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml index 247c34aed4c..9f24f85e3eb 100644 --- a/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/activitylogs/config/azure-eventhub.yml @@ -6,5 +6,5 @@ storage_account: {{ .storage_account }} storage_account_key: {{ .storage_account_key }} resource_manager_endpoint: {{ .resource_manager_endpoint }} tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/azure/activitylogs/config/file.yml b/x-pack/filebeat/module/azure/activitylogs/config/file.yml index bfef9c90eec..456cc5dce7c 100644 --- a/x-pack/filebeat/module/azure/activitylogs/config/file.yml +++ b/x-pack/filebeat/module/azure/activitylogs/config/file.yml @@ -5,4 +5,4 @@ paths: {{ end }} exclude_files: [".gz$"] tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/azure/activitylogs/manifest.yml b/x-pack/filebeat/module/azure/activitylogs/manifest.yml index 982b2d40595..c83f17ce1a0 100644 --- a/x-pack/filebeat/module/azure/activitylogs/manifest.yml +++ b/x-pack/filebeat/module/azure/activitylogs/manifest.yml @@ -12,7 +12,7 @@ var: - name: storage_account_key - name: resource_manager_endpoint - name: tags - default: [cloud] + default: [forwarded] ingest_pipeline: - ingest/pipeline.json diff --git a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json index 38be6a968ca..258a04d0aab 100644 --- a/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json +++ b/x-pack/filebeat/module/azure/activitylogs/test/activitylogs.log-expected.json @@ -50,7 +50,7 @@ "service.type": "azure", "source.ip": "51.251.141.41", "tags": [ - "cloud" + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml index 9019789e590..f8b88d18a4a 100644 --- a/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/auditlogs/config/azure-eventhub.yml @@ -6,4 +6,4 @@ storage_account: {{ .storage_account }} storage_account_key: {{ .storage_account_key }} resource_manager_endpoint: {{ .resource_manager_endpoint }} tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/azure/auditlogs/config/file.yml b/x-pack/filebeat/module/azure/auditlogs/config/file.yml index bfef9c90eec..456cc5dce7c 100644 --- a/x-pack/filebeat/module/azure/auditlogs/config/file.yml +++ b/x-pack/filebeat/module/azure/auditlogs/config/file.yml @@ -5,4 +5,4 @@ paths: {{ end }} exclude_files: [".gz$"] tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/azure/auditlogs/manifest.yml b/x-pack/filebeat/module/azure/auditlogs/manifest.yml index 3baccad14c8..85029fc97a9 100644 --- a/x-pack/filebeat/module/azure/auditlogs/manifest.yml +++ b/x-pack/filebeat/module/azure/auditlogs/manifest.yml @@ -12,7 +12,7 @@ var: - name: storage_account_key - name: resource_manager_endpoint - name: tags - default: [cloud] + default: [forwarded] ingest_pipeline: - ingest/pipeline.json diff --git a/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json b/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json index 5323662c8fb..9e3a37a4352 100644 --- a/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/auditlogs/test/auditlogs.log-expected.json @@ -39,7 +39,7 @@ "log.offset": 0, "service.type": "azure", "tags": [ - "cloud" + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml index 9019789e590..f8b88d18a4a 100644 --- a/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml +++ b/x-pack/filebeat/module/azure/signinlogs/config/azure-eventhub.yml @@ -6,4 +6,4 @@ storage_account: {{ .storage_account }} storage_account_key: {{ .storage_account_key }} resource_manager_endpoint: {{ .resource_manager_endpoint }} tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/azure/signinlogs/config/file.yml b/x-pack/filebeat/module/azure/signinlogs/config/file.yml index bfef9c90eec..456cc5dce7c 100644 --- a/x-pack/filebeat/module/azure/signinlogs/config/file.yml +++ b/x-pack/filebeat/module/azure/signinlogs/config/file.yml @@ -5,4 +5,4 @@ paths: {{ end }} exclude_files: [".gz$"] tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} diff --git a/x-pack/filebeat/module/azure/signinlogs/manifest.yml b/x-pack/filebeat/module/azure/signinlogs/manifest.yml index 67079219fe4..c08e0eaeb87 100644 --- a/x-pack/filebeat/module/azure/signinlogs/manifest.yml +++ b/x-pack/filebeat/module/azure/signinlogs/manifest.yml @@ -12,7 +12,7 @@ var: - name: storage_account_key - name: resource_manager_endpoint - name: tags - default: [cloud] + default: [forwarded] ingest_pipeline: - ingest/pipeline.json diff --git a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json index c7a59cf056d..8bc3778fe07 100644 --- a/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json +++ b/x-pack/filebeat/module/azure/signinlogs/test/signinlogs.log-expected.json @@ -54,7 +54,7 @@ "service.type": "azure", "source.ip": "81.171.241.231", "tags": [ - "cloud" + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/googlecloud/audit/config/input.yml b/x-pack/filebeat/module/googlecloud/audit/config/input.yml index fe18acbcb5e..4c30e23b5e3 100644 --- a/x-pack/filebeat/module/googlecloud/audit/config/input.yml +++ b/x-pack/filebeat/module/googlecloud/audit/config/input.yml @@ -22,7 +22,7 @@ exclude_files: [".gz$"] {{ end }} tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - script: diff --git a/x-pack/filebeat/module/googlecloud/audit/manifest.yml b/x-pack/filebeat/module/googlecloud/audit/manifest.yml index 70bac9b4d61..cacba81ad71 100644 --- a/x-pack/filebeat/module/googlecloud/audit/manifest.yml +++ b/x-pack/filebeat/module/googlecloud/audit/manifest.yml @@ -14,7 +14,7 @@ var: - name: keep_original_message default: false - name: tags - default: [cloud] + default: [forwarded] ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json index 335c983e4a2..844f6eb6d88 100644 --- a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json @@ -32,7 +32,7 @@ "service.type": "googlecloud", "source.ip": "192.168.1.1", "tags": [ - "cloud" + "forwarded" ], "user.email": "xxx@xxx.xxx" }, @@ -76,7 +76,7 @@ "service.type": "googlecloud", "source.ip": "192.168.1.1", "tags": [ - "cloud" + "forwarded" ], "user.email": "xxx@xxx.xxx", "user_agent.device.name": "Other", @@ -127,7 +127,7 @@ "service.type": "googlecloud", "source.ip": "192.168.1.1", "tags": [ - "cloud" + "forwarded" ], "user.email": "xxx@xxx.xxx", "user_agent.device.name": "Other", @@ -179,7 +179,7 @@ "service.type": "googlecloud", "source.ip": "192.168.1.1", "tags": [ - "cloud" + "forwarded" ], "user.email": "xxx@xxx.xxx", "user_agent.device.name": "Other", diff --git a/x-pack/filebeat/module/googlecloud/firewall/config/input.yml b/x-pack/filebeat/module/googlecloud/firewall/config/input.yml index fa76e021540..d6579aa9f47 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/config/input.yml +++ b/x-pack/filebeat/module/googlecloud/firewall/config/input.yml @@ -22,7 +22,7 @@ exclude_files: [".gz$"] {{ end }} tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - script: diff --git a/x-pack/filebeat/module/googlecloud/firewall/manifest.yml b/x-pack/filebeat/module/googlecloud/firewall/manifest.yml index 69a04bc10ef..6563173197f 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/manifest.yml +++ b/x-pack/filebeat/module/googlecloud/firewall/manifest.yml @@ -16,7 +16,7 @@ var: - name: keep_original_message default: false - name: tags - default: [cloud] + default: [forwarded] ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/googlecloud/firewall/test/rare.log-expected.json b/x-pack/filebeat/module/googlecloud/firewall/test/rare.log-expected.json index 79b71b64a43..fb34db02422 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/test/rare.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/firewall/test/rare.log-expected.json @@ -63,7 +63,7 @@ "source.ip": "10.142.0.10", "source.port": 57794, "tags": [ - "cloud" + "forwarded" ] }, { @@ -130,7 +130,7 @@ "source.ip": "10.142.0.16", "source.port": 80, "tags": [ - "cloud" + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json b/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json index c4c332f2f5a..c8b16376e8f 100644 --- a/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/firewall/test/test.log-expected.json @@ -61,7 +61,7 @@ "source.ip": "10.128.0.16", "source.port": 60094, "tags": [ - "cloud" + "forwarded" ] }, { @@ -125,7 +125,7 @@ "source.ip": "192.0.2.126", "source.port": 64853, "tags": [ - "cloud" + "forwarded" ] }, { @@ -192,7 +192,7 @@ "source.ip": "192.0.2.219", "source.port": 2897, "tags": [ - "cloud" + "forwarded" ] }, { @@ -257,7 +257,7 @@ "source.ip": "192.0.2.14", "source.port": 61000, "tags": [ - "cloud" + "forwarded" ] }, { @@ -322,7 +322,7 @@ "source.ip": "192.0.2.14", "source.port": 61000, "tags": [ - "cloud" + "forwarded" ] }, { @@ -389,7 +389,7 @@ "source.ip": "192.0.2.151", "source.port": 62551, "tags": [ - "cloud" + "forwarded" ] }, { @@ -456,7 +456,7 @@ "source.ip": "192.0.2.241", "source.port": 44542, "tags": [ - "cloud" + "forwarded" ] }, { @@ -523,7 +523,7 @@ "source.ip": "192.0.2.114", "source.port": 41293, "tags": [ - "cloud" + "forwarded" ] }, { @@ -590,7 +590,7 @@ "source.ip": "192.0.2.251", "source.port": 59106, "tags": [ - "cloud" + "forwarded" ] }, { @@ -657,7 +657,7 @@ "source.ip": "192.0.2.189", "source.port": 61000, "tags": [ - "cloud" + "forwarded" ] }, { @@ -724,7 +724,7 @@ "source.ip": "192.0.2.189", "source.port": 61000, "tags": [ - "cloud" + "forwarded" ] }, { @@ -791,7 +791,7 @@ "source.ip": "192.0.2.200", "source.port": 42716, "tags": [ - "cloud" + "forwarded" ] }, { @@ -856,7 +856,7 @@ "source.ip": "10.28.0.16", "source.port": 46418, "tags": [ - "cloud" + "forwarded" ] }, { @@ -921,7 +921,7 @@ "source.ip": "10.28.0.16", "source.port": 58725, "tags": [ - "cloud" + "forwarded" ] }, { @@ -992,7 +992,7 @@ "source.ip": "192.0.2.114", "source.port": 44666, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1063,7 +1063,7 @@ "source.ip": "192.0.2.114", "source.port": 44668, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1129,7 +1129,7 @@ "source.ip": "192.0.2.7", "source.port": 1683, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1200,7 +1200,7 @@ "source.ip": "192.0.2.114", "source.port": 45068, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1271,7 +1271,7 @@ "source.ip": "192.0.2.114", "source.port": 45062, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1341,7 +1341,7 @@ "source.ip": "10.42.0.10", "source.port": 57794, "tags": [ - "cloud" + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/googlecloud/vpcflow/config/input.yml b/x-pack/filebeat/module/googlecloud/vpcflow/config/input.yml index 58a9fd2b3d9..cf89526bbe5 100644 --- a/x-pack/filebeat/module/googlecloud/vpcflow/config/input.yml +++ b/x-pack/filebeat/module/googlecloud/vpcflow/config/input.yml @@ -22,7 +22,7 @@ exclude_files: [".gz$"] {{ end }} tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - script: diff --git a/x-pack/filebeat/module/googlecloud/vpcflow/manifest.yml b/x-pack/filebeat/module/googlecloud/vpcflow/manifest.yml index 85031435e77..3ddb0800223 100644 --- a/x-pack/filebeat/module/googlecloud/vpcflow/manifest.yml +++ b/x-pack/filebeat/module/googlecloud/vpcflow/manifest.yml @@ -14,7 +14,7 @@ var: - name: keep_original_message default: false - name: tags - default: [cloud] + default: [forwarded] ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/googlecloud/vpcflow/test/vpc-flow-log-entries.json.log-expected.json b/x-pack/filebeat/module/googlecloud/vpcflow/test/vpc-flow-log-entries.json.log-expected.json index dbaa9edd43d..9a71b1c35a6 100644 --- a/x-pack/filebeat/module/googlecloud/vpcflow/test/vpc-flow-log-entries.json.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/vpcflow/test/vpc-flow-log-entries.json.log-expected.json @@ -50,7 +50,7 @@ "source.packets": 7, "source.port": 5601, "tags": [ - "cloud" + "forwarded" ] }, { @@ -111,7 +111,7 @@ "source.packets": 68, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -172,7 +172,7 @@ "source.packets": 78, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -227,7 +227,7 @@ "source.packets": 1, "source.port": 22, "tags": [ - "cloud" + "forwarded" ] }, { @@ -281,7 +281,7 @@ "source.packets": 7, "source.port": 5601, "tags": [ - "cloud" + "forwarded" ] }, { @@ -335,7 +335,7 @@ "source.packets": 7, "source.port": 50646, "tags": [ - "cloud" + "forwarded" ] }, { @@ -396,7 +396,7 @@ "source.packets": 251, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -457,7 +457,7 @@ "source.packets": 92, "source.port": 33880, "tags": [ - "cloud" + "forwarded" ] }, { @@ -518,7 +518,7 @@ "source.packets": 247, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -579,7 +579,7 @@ "source.packets": 63, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -634,7 +634,7 @@ "source.packets": 3, "source.port": 59679, "tags": [ - "cloud" + "forwarded" ] }, { @@ -695,7 +695,7 @@ "source.packets": 94, "source.port": 33576, "tags": [ - "cloud" + "forwarded" ] }, { @@ -756,7 +756,7 @@ "source.packets": 356, "source.port": 33562, "tags": [ - "cloud" + "forwarded" ] }, { @@ -817,7 +817,7 @@ "source.packets": 361, "source.port": 33692, "tags": [ - "cloud" + "forwarded" ] }, { @@ -878,7 +878,7 @@ "source.packets": 360, "source.port": 33542, "tags": [ - "cloud" + "forwarded" ] }, { @@ -939,7 +939,7 @@ "source.packets": 99, "source.port": 33970, "tags": [ - "cloud" + "forwarded" ] }, { @@ -990,7 +990,7 @@ "source.packets": 8690, "source.port": 9243, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1044,7 +1044,7 @@ "source.packets": 7, "source.port": 34836, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1105,7 +1105,7 @@ "source.packets": 367, "source.port": 33554, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1161,7 +1161,7 @@ "source.packets": 608, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1222,7 +1222,7 @@ "source.packets": 258, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1273,7 +1273,7 @@ "source.packets": 44438, "source.port": 46864, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1327,7 +1327,7 @@ "source.packets": 7, "source.port": 33478, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1388,7 +1388,7 @@ "source.packets": 241, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1444,7 +1444,7 @@ "source.packets": 732, "source.port": 65320, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1505,7 +1505,7 @@ "source.packets": 246, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1566,7 +1566,7 @@ "source.packets": 340, "source.port": 33548, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1620,7 +1620,7 @@ "source.packets": 7, "source.port": 5601, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1676,7 +1676,7 @@ "source.packets": 18, "source.port": 59623, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1737,7 +1737,7 @@ "source.packets": 363, "source.port": 33552, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1791,7 +1791,7 @@ "source.packets": 7, "source.port": 33924, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1852,7 +1852,7 @@ "source.packets": 260, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1913,7 +1913,7 @@ "source.packets": 265, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -1969,7 +1969,7 @@ "source.packets": 607, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -2030,7 +2030,7 @@ "source.packets": 356, "source.port": 33534, "tags": [ - "cloud" + "forwarded" ] }, { @@ -2091,7 +2091,7 @@ "source.packets": 735, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -2145,7 +2145,7 @@ "source.packets": 7, "source.port": 5601, "tags": [ - "cloud" + "forwarded" ] }, { @@ -2201,7 +2201,7 @@ "source.packets": 594, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -2262,7 +2262,7 @@ "source.packets": 58, "source.port": 33524, "tags": [ - "cloud" + "forwarded" ] }, { @@ -2323,7 +2323,7 @@ "source.packets": 130, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -2384,7 +2384,7 @@ "source.packets": 250, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -2445,7 +2445,7 @@ "source.packets": 37, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -2506,7 +2506,7 @@ "source.packets": 237, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -2567,7 +2567,7 @@ "source.packets": 353, "source.port": 33694, "tags": [ - "cloud" + "forwarded" ] }, { @@ -2621,7 +2621,7 @@ "source.packets": 7, "source.port": 5601, "tags": [ - "cloud" + "forwarded" ] }, { @@ -2677,7 +2677,7 @@ "source.packets": 605, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -2731,7 +2731,7 @@ "source.packets": 7, "source.port": 33862, "tags": [ - "cloud" + "forwarded" ] }, { @@ -2787,7 +2787,7 @@ "source.packets": 737, "source.port": 65321, "tags": [ - "cloud" + "forwarded" ] }, { @@ -2843,7 +2843,7 @@ "source.packets": 600, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -2904,7 +2904,7 @@ "source.packets": 949, "source.port": 49680, "tags": [ - "cloud" + "forwarded" ] }, { @@ -2965,7 +2965,7 @@ "source.packets": 227, "source.port": 60112, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3026,7 +3026,7 @@ "source.packets": 270, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3082,7 +3082,7 @@ "source.packets": 709, "source.port": 65316, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3138,7 +3138,7 @@ "source.packets": 728, "source.port": 65263, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3192,7 +3192,7 @@ "source.packets": 7, "source.port": 50438, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3246,7 +3246,7 @@ "source.packets": 7, "source.port": 5601, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3302,7 +3302,7 @@ "source.packets": 11, "source.port": 22, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3363,7 +3363,7 @@ "source.packets": 353, "source.port": 33558, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3424,7 +3424,7 @@ "source.packets": 354, "source.port": 33548, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3480,7 +3480,7 @@ "source.packets": 717, "source.port": 65271, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3534,7 +3534,7 @@ "source.packets": 7, "source.port": 34178, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3588,7 +3588,7 @@ "source.packets": 7, "source.port": 33602, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3649,7 +3649,7 @@ "source.packets": 366, "source.port": 33554, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3703,7 +3703,7 @@ "source.packets": 7, "source.port": 5601, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3757,7 +3757,7 @@ "source.packets": 7, "source.port": 52454, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3818,7 +3818,7 @@ "source.packets": 251, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3872,7 +3872,7 @@ "source.packets": 7, "source.port": 5601, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3933,7 +3933,7 @@ "source.packets": 361, "source.port": 33530, "tags": [ - "cloud" + "forwarded" ] }, { @@ -3994,7 +3994,7 @@ "source.packets": 366, "source.port": 33556, "tags": [ - "cloud" + "forwarded" ] }, { @@ -4055,7 +4055,7 @@ "source.packets": 86, "source.port": 33570, "tags": [ - "cloud" + "forwarded" ] }, { @@ -4116,7 +4116,7 @@ "source.packets": 247, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -4170,7 +4170,7 @@ "source.packets": 7, "source.port": 5601, "tags": [ - "cloud" + "forwarded" ] }, { @@ -4231,7 +4231,7 @@ "source.packets": 118, "source.port": 33858, "tags": [ - "cloud" + "forwarded" ] }, { @@ -4285,7 +4285,7 @@ "source.packets": 7, "source.port": 33064, "tags": [ - "cloud" + "forwarded" ] }, { @@ -4346,7 +4346,7 @@ "source.packets": 251, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -4400,7 +4400,7 @@ "source.packets": 7, "source.port": 53706, "tags": [ - "cloud" + "forwarded" ] }, { @@ -4454,7 +4454,7 @@ "source.packets": 7, "source.port": 52260, "tags": [ - "cloud" + "forwarded" ] }, { @@ -4508,7 +4508,7 @@ "source.packets": 7, "source.port": 5601, "tags": [ - "cloud" + "forwarded" ] }, { @@ -4562,7 +4562,7 @@ "source.packets": 7, "source.port": 5601, "tags": [ - "cloud" + "forwarded" ] }, { @@ -4616,7 +4616,7 @@ "source.packets": 7, "source.port": 5601, "tags": [ - "cloud" + "forwarded" ] }, { @@ -4670,7 +4670,7 @@ "source.packets": 7, "source.port": 34906, "tags": [ - "cloud" + "forwarded" ] }, { @@ -4724,7 +4724,7 @@ "source.packets": 7, "source.port": 5601, "tags": [ - "cloud" + "forwarded" ] }, { @@ -4785,7 +4785,7 @@ "source.packets": 361, "source.port": 33534, "tags": [ - "cloud" + "forwarded" ] }, { @@ -4846,7 +4846,7 @@ "source.packets": 358, "source.port": 33510, "tags": [ - "cloud" + "forwarded" ] }, { @@ -4900,7 +4900,7 @@ "source.packets": 7, "source.port": 58216, "tags": [ - "cloud" + "forwarded" ] }, { @@ -4961,7 +4961,7 @@ "source.packets": 243, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -5015,7 +5015,7 @@ "source.packets": 7, "source.port": 5601, "tags": [ - "cloud" + "forwarded" ] }, { @@ -5069,7 +5069,7 @@ "source.packets": 7, "source.port": 5601, "tags": [ - "cloud" + "forwarded" ] }, { @@ -5123,7 +5123,7 @@ "source.packets": 7, "source.port": 34090, "tags": [ - "cloud" + "forwarded" ] }, { @@ -5184,7 +5184,7 @@ "source.packets": 246, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -5245,7 +5245,7 @@ "source.packets": 71, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -5306,7 +5306,7 @@ "source.packets": 75, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -5367,7 +5367,7 @@ "source.packets": 249, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -5428,7 +5428,7 @@ "source.packets": 357, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -5489,7 +5489,7 @@ "source.packets": 242, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -5550,7 +5550,7 @@ "source.packets": 244, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -5611,7 +5611,7 @@ "source.packets": 708, "source.port": 60108, "tags": [ - "cloud" + "forwarded" ] }, { @@ -5672,7 +5672,7 @@ "source.packets": 74, "source.port": 9200, "tags": [ - "cloud" + "forwarded" ] }, { @@ -5733,7 +5733,7 @@ "source.packets": 95, "source.port": 33968, "tags": [ - "cloud" + "forwarded" ] }, { @@ -5794,7 +5794,7 @@ "source.packets": 351, "source.port": 33590, "tags": [ - "cloud" + "forwarded" ] } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/o365/audit/config/input.yml b/x-pack/filebeat/module/o365/audit/config/input.yml index a08a7206207..061d0f532af 100644 --- a/x-pack/filebeat/module/o365/audit/config/input.yml +++ b/x-pack/filebeat/module/o365/audit/config/input.yml @@ -37,7 +37,7 @@ json.add_error_key: true {{ end }} tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: {{ if eq .input "file" }} diff --git a/x-pack/filebeat/module/o365/audit/manifest.yml b/x-pack/filebeat/module/o365/audit/manifest.yml index f84a6dcccb1..572e770c1e8 100644 --- a/x-pack/filebeat/module/o365/audit/manifest.yml +++ b/x-pack/filebeat/module/o365/audit/manifest.yml @@ -12,7 +12,7 @@ var: - name: content_type - name: api - name: tags - default: [cloud] + default: [forwarded] ingest_pipeline: ingest/pipeline.yml input: config/input.yml diff --git a/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log-expected.json b/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log-expected.json index 327943f8d56..1fbe5afbaf7 100644 --- a/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/01-exchange-admin.log-expected.json @@ -39,7 +39,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -96,7 +96,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -153,7 +153,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -197,7 +197,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -241,7 +241,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -286,7 +286,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -332,7 +332,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -376,7 +376,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -433,7 +433,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -490,7 +490,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -535,7 +535,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -592,7 +592,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -649,7 +649,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -706,7 +706,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -763,7 +763,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -820,7 +820,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -877,7 +877,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -921,7 +921,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -966,7 +966,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1011,7 +1011,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1055,7 +1055,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1100,7 +1100,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1157,7 +1157,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1214,7 +1214,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1271,7 +1271,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1328,7 +1328,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1385,7 +1385,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1442,7 +1442,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1499,7 +1499,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1556,7 +1556,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1615,7 +1615,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1672,7 +1672,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1729,7 +1729,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1786,7 +1786,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1843,7 +1843,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1900,7 +1900,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -1957,7 +1957,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2014,7 +2014,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2071,7 +2071,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2128,7 +2128,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2182,7 +2182,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2228,7 +2228,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2273,7 +2273,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2318,7 +2318,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2363,7 +2363,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2422,7 +2422,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2479,7 +2479,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2536,7 +2536,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2593,7 +2593,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2650,7 +2650,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2707,7 +2707,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2764,7 +2764,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2821,7 +2821,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2878,7 +2878,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2935,7 +2935,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -2992,7 +2992,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3049,7 +3049,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3095,7 +3095,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3141,7 +3141,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3198,7 +3198,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3255,7 +3255,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3301,7 +3301,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3345,7 +3345,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3404,7 +3404,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3461,7 +3461,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3518,7 +3518,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3575,7 +3575,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3632,7 +3632,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3689,7 +3689,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3746,7 +3746,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3803,7 +3803,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3848,7 +3848,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3894,7 +3894,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3939,7 +3939,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -3985,7 +3985,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4029,7 +4029,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4075,7 +4075,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4119,7 +4119,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4165,7 +4165,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4222,7 +4222,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4279,7 +4279,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4336,7 +4336,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4393,7 +4393,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4450,7 +4450,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4507,7 +4507,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4564,7 +4564,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4621,7 +4621,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4667,7 +4667,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4724,7 +4724,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4781,7 +4781,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4826,7 +4826,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4883,7 +4883,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4927,7 +4927,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -4973,7 +4973,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -5027,7 +5027,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -5084,7 +5084,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -5130,7 +5130,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -5187,7 +5187,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -5246,7 +5246,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" }, @@ -5303,7 +5303,7 @@ "server.address": "HE1PR0102MB3228 (15.20.2707.017)", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "NT AUTHORITY\\SYSTEM (Microsoft.Exchange.ServiceHost)" } diff --git a/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log-expected.json b/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log-expected.json index ae26e209044..7c530b3de40 100644 --- a/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/02-exchange-item.log-expected.json @@ -56,7 +56,7 @@ "service.type": "o365", "source.ip": "::1", "tags": [ - "cloud" + "forwarded" ], "user.email": "SIEMTest@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" @@ -118,7 +118,7 @@ "service.type": "o365", "source.ip": "::1", "tags": [ - "cloud" + "forwarded" ], "user.email": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" @@ -180,7 +180,7 @@ "service.type": "o365", "source.ip": "::1", "tags": [ - "cloud" + "forwarded" ], "user.email": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" @@ -242,7 +242,7 @@ "service.type": "o365", "source.ip": "::1", "tags": [ - "cloud" + "forwarded" ], "user.email": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" @@ -304,7 +304,7 @@ "service.type": "o365", "source.ip": "::1", "tags": [ - "cloud" + "forwarded" ], "user.email": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" @@ -366,7 +366,7 @@ "service.type": "o365", "source.ip": "::1", "tags": [ - "cloud" + "forwarded" ], "user.email": "AllCompany.4529848321.sqtielgo@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" @@ -428,7 +428,7 @@ "service.type": "o365", "source.ip": "::1", "tags": [ - "cloud" + "forwarded" ], "user.email": "AllCompany.4529848321.eqpfynvc@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" @@ -490,7 +490,7 @@ "service.type": "o365", "source.ip": "::1", "tags": [ - "cloud" + "forwarded" ], "user.email": "SIEMTest@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" @@ -552,7 +552,7 @@ "service.type": "o365", "source.ip": "::1", "tags": [ - "cloud" + "forwarded" ], "user.email": "SIEMTest@testsiem.onmicrosoft.com", "user.id": "S-1-5-18" diff --git a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json index eb41d5da049..650bbe92b0c 100644 --- a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json @@ -53,7 +53,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -120,7 +120,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -187,7 +187,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -254,7 +254,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", diff --git a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json index 4b6f4d6d4b4..f77a0237b08 100644 --- a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json @@ -60,7 +60,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "user.domain": "testsiem.onmicrosoft.com", @@ -135,7 +135,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "user.domain": "testsiem.onmicrosoft.com", @@ -210,7 +210,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx", "user.domain": "testsiem.onmicrosoft.com", @@ -285,7 +285,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Forms/All.aspx", "user.domain": "testsiem.onmicrosoft.com", @@ -361,7 +361,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", @@ -436,7 +436,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", @@ -511,7 +511,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot 2020-01-27 at 11.30.48.png", "user.domain": "testsiem.onmicrosoft.com", @@ -587,7 +587,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", @@ -662,7 +662,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", @@ -737,7 +737,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", @@ -812,7 +812,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem-my.sharepoint.com/personal/asr_testsiem_onmicrosoft_com/Documents/Screenshot.png", "user.domain": "testsiem.onmicrosoft.com", diff --git a/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json index f865e0c149d..e0dfc8ff9b8 100644 --- a/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/08-azuread.log-expected.json @@ -135,7 +135,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -277,7 +277,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -419,7 +419,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -572,7 +572,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -725,7 +725,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -885,7 +885,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -1045,7 +1045,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -1205,7 +1205,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -1365,7 +1365,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -1525,7 +1525,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -1685,7 +1685,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -1845,7 +1845,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -2005,7 +2005,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -2165,7 +2165,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -2325,7 +2325,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -2485,7 +2485,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -2645,7 +2645,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -2805,7 +2805,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -2947,7 +2947,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -3089,7 +3089,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -3242,7 +3242,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -3384,7 +3384,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -3526,7 +3526,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -3668,7 +3668,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -3821,7 +3821,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -3981,7 +3981,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -4141,7 +4141,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -4301,7 +4301,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -4461,7 +4461,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -4621,7 +4621,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -4781,7 +4781,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -4941,7 +4941,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -5101,7 +5101,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -5262,7 +5262,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -5423,7 +5423,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -5551,7 +5551,7 @@ "related.user": "fim_password_service", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.domain": "support.onmicrosoft.com", "user.id": "fim_password_service@support.onmicrosoft.com", @@ -5711,7 +5711,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -5871,7 +5871,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -6031,7 +6031,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -6191,7 +6191,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -6351,7 +6351,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -6511,7 +6511,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -6671,7 +6671,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -6831,7 +6831,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -6991,7 +6991,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -7151,7 +7151,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -7311,7 +7311,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -7471,7 +7471,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -7631,7 +7631,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -7791,7 +7791,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -7951,7 +7951,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -8112,7 +8112,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -8273,7 +8273,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -8433,7 +8433,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -8593,7 +8593,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -8753,7 +8753,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -8913,7 +8913,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -9073,7 +9073,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -9233,7 +9233,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -9393,7 +9393,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -9553,7 +9553,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -9713,7 +9713,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -9855,7 +9855,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -9997,7 +9997,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -10139,7 +10139,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -10281,7 +10281,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -10433,7 +10433,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -10586,7 +10586,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -10739,7 +10739,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -10892,7 +10892,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -11045,7 +11045,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -11185,7 +11185,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -11327,7 +11327,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -11469,7 +11469,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -11622,7 +11622,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -11775,7 +11775,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -11928,7 +11928,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -12070,7 +12070,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -12212,7 +12212,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -12354,7 +12354,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -12507,7 +12507,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -12660,7 +12660,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -12813,7 +12813,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -12973,7 +12973,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -13133,7 +13133,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -13293,7 +13293,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -13453,7 +13453,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -13613,7 +13613,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -13773,7 +13773,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -13933,7 +13933,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -14093,7 +14093,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -14253,7 +14253,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -14413,7 +14413,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -14573,7 +14573,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -14734,7 +14734,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -14895,7 +14895,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -15056,7 +15056,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -15214,7 +15214,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -15372,7 +15372,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -15530,7 +15530,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", diff --git a/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log-expected.json b/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log-expected.json index 107a64853a5..5fbd3a96c71 100644 --- a/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/11-dlp-sharepoint.log-expected.json @@ -77,7 +77,7 @@ "rule.name": "Low volume of content detected U.S. Financial", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx", "user.domain": "TESTSIEM2.ONMICROSOFT.COM", @@ -171,7 +171,7 @@ "rule.name": "High volume of content detected U.S. Financial", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx", "user.domain": "TESTSIEM2.ONMICROSOFT.COM", @@ -261,7 +261,7 @@ "rule.name": "Low volume of content detected U.S. Financial", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data%20Copy.docx", "user.domain": "TESTSIEM2.ONMICROSOFT.COM", @@ -355,7 +355,7 @@ "rule.name": "High volume of content detected U.S. Financial", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/Customers%20Financial%20Data.docx", "user.domain": "TESTSIEM2.ONMICROSOFT.COM", @@ -449,7 +449,7 @@ "rule.name": "High volume of content detected France Financial", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem2-my.sharepoint.com/personal/asr_testsiem2_onmicrosoft_com/Documents/INTERNAL%20CREDIT%20CARD%20NUMBERS.docx", "user.domain": "TESTSIEM2.ONMICROSOFT.COM", @@ -543,7 +543,7 @@ "rule.name": "Low volume of content detected France Financial", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx", "user.domain": "testsiem2.onmicrosoft.com", @@ -637,7 +637,7 @@ "rule.name": "Low volume of content detected France Financial", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://testsiem2.sharepoint.com/sites/Internalcommunications/Shared%20Documents/Document.docx", "user.domain": "testsiem2.onmicrosoft.com", diff --git a/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json b/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json index d27f4cd73e4..dd3364f133f 100644 --- a/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/13-dlp-exchange.log-expected.json @@ -144,7 +144,7 @@ "service.type": "o365", "source.user.email": "asr@testsiem2.onmicrosoft.com", "tags": [ - "cloud" + "forwarded" ], "user.id": "DlpAgent" }, @@ -293,7 +293,7 @@ "service.type": "o365", "source.user.email": "asr@testsiem2.onmicrosoft.com", "tags": [ - "cloud" + "forwarded" ], "user.id": "DlpAgent" }, @@ -443,7 +443,7 @@ "service.type": "o365", "source.user.email": "asr@testsiem2.onmicrosoft.com", "tags": [ - "cloud" + "forwarded" ], "user.id": "DlpAgent" }, @@ -593,7 +593,7 @@ "service.type": "o365", "source.user.email": "asr@testsiem2.onmicrosoft.com", "tags": [ - "cloud" + "forwarded" ], "user.id": "DlpAgent" }, @@ -693,7 +693,7 @@ "service.type": "o365", "source.user.email": "asr@testsiem2.onmicrosoft.com", "tags": [ - "cloud" + "forwarded" ], "user.id": "DlpAgent" }, @@ -788,7 +788,7 @@ "rule.name": "Low volume of content detected test", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "url.original": "https://example.net/testsiem2.onmicrosoft.com/sharepoint", "user.domain": "testsiem2.onmicrosoft.com", diff --git a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json index 56c34560fc8..190e2185584 100644 --- a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json @@ -40,7 +40,7 @@ "related.user": "app", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.domain": "sharepoint", "user.id": "app@sharepoint", @@ -90,7 +90,7 @@ "related.user": "app", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.domain": "sharepoint", "user.id": "app@sharepoint", @@ -140,7 +140,7 @@ "related.user": "app", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.domain": "sharepoint", "user.id": "app@sharepoint", @@ -190,7 +190,7 @@ "related.user": "app", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.domain": "sharepoint", "user.id": "app@sharepoint", @@ -240,7 +240,7 @@ "related.user": "app", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.domain": "sharepoint", "user.id": "app@sharepoint", @@ -305,7 +305,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -378,7 +378,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -452,7 +452,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -526,7 +526,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -600,7 +600,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", diff --git a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json index 12475b5e527..a71438525e9 100644 --- a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json @@ -82,7 +82,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -178,7 +178,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -274,7 +274,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -370,7 +370,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -466,7 +466,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -562,7 +562,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -658,7 +658,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -754,7 +754,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -850,7 +850,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -946,7 +946,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -1042,7 +1042,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -1138,7 +1138,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -1234,7 +1234,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -1330,7 +1330,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -1423,7 +1423,7 @@ "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -1519,7 +1519,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -1615,7 +1615,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -1708,7 +1708,7 @@ "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -1804,7 +1804,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -1900,7 +1900,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -1996,7 +1996,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -2092,7 +2092,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -2188,7 +2188,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -2284,7 +2284,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -2380,7 +2380,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -2476,7 +2476,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -2572,7 +2572,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -2668,7 +2668,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -2764,7 +2764,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -2859,7 +2859,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -2956,7 +2956,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -3042,7 +3042,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.id": "Unknown", "user_agent.device.name": "Other", @@ -3136,7 +3136,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -3222,7 +3222,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.id": "Unknown", "user_agent.device.name": "Other", @@ -3317,7 +3317,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -3403,7 +3403,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.id": "Unknown", "user_agent.device.name": "Other", @@ -3498,7 +3498,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -3594,7 +3594,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -3690,7 +3690,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -3776,7 +3776,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.id": "Unknown", "user_agent.device.name": "Other", @@ -3871,7 +3871,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -3964,7 +3964,7 @@ "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -4060,7 +4060,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -4156,7 +4156,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -4242,7 +4242,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.id": "Unknown", "user_agent.device.name": "Other", @@ -4336,7 +4336,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -4432,7 +4432,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -4528,7 +4528,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -4624,7 +4624,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -4720,7 +4720,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -4816,7 +4816,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -4912,7 +4912,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -5008,7 +5008,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -5104,7 +5104,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -5200,7 +5200,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -5296,7 +5296,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -5392,7 +5392,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -5488,7 +5488,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -5581,7 +5581,7 @@ "source.geo.location.lon": -3.684, "source.ip": "37.29.234.179", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -5677,7 +5677,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -5773,7 +5773,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -5869,7 +5869,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -5965,7 +5965,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -6061,7 +6061,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "79.159.10.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -6157,7 +6157,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -6253,7 +6253,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -6349,7 +6349,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -6445,7 +6445,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "83.57.233.151", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -6541,7 +6541,7 @@ "source.geo.region_name": "Barcelona", "source.ip": "213.97.47.133", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", diff --git a/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json index 05c952c3a79..4bd20443e07 100644 --- a/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/22-yammer.log-expected.json @@ -55,7 +55,7 @@ "source.ip": "79.159.10.151", "source.port": "12345", "tags": [ - "cloud" + "forwarded" ], "user.email": "alice@testsiem2.onmicrosoft.com", "user.id": "36787265537" @@ -107,7 +107,7 @@ "source.ip": "fdfd::555", "source.port": "12346", "tags": [ - "cloud" + "forwarded" ], "user.email": "asr@testsiem2.onmicrosoft.com", "user.id": "36085768193" diff --git a/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json b/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json index a91040b14d4..c3435f152d6 100644 --- a/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/25-ms-teams.log-expected.json @@ -30,7 +30,7 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "Application" }, @@ -89,7 +89,7 @@ "related.user": "asr", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -135,7 +135,7 @@ "related.user": "asr", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -172,7 +172,7 @@ "related.user": "bob", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "bob@testsiem.onmicrosoft.com", diff --git a/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json b/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json index 97e6ac440ce..fd05be0b044 100644 --- a/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/40-sec-comp-alerts.log-expected.json @@ -58,7 +58,7 @@ "rule.ruleset": "User", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", @@ -112,7 +112,7 @@ "rule.reference": "http://example.net/single", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "SecurityComplianceAlerts" }, @@ -166,7 +166,7 @@ "rule.ruleset": "MalwareFamily", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "threat.technique.id": "Malware/Evil.Malware.B", "user.id": "SecurityComplianceAlerts" diff --git a/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log-expected.json b/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log-expected.json index 5b5d74e5f5d..0f4b914b993 100644 --- a/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/52-data-insights-api.log-expected.json @@ -29,7 +29,7 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "Service Account" }, @@ -63,7 +63,7 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "Service Account" }, @@ -97,7 +97,7 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "Service Account" }, @@ -131,7 +131,7 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "Service Account" }, @@ -165,7 +165,7 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "Service Account" }, @@ -199,7 +199,7 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "Service Account" }, @@ -233,7 +233,7 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "Service Account" }, @@ -267,7 +267,7 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "Service Account" }, @@ -301,7 +301,7 @@ "organization.id": "b86ab9d4-fcf1-4b11-8a06-7a8f91b47fbd", "service.type": "o365", "tags": [ - "cloud" + "forwarded" ], "user.id": "Service Account" } diff --git a/x-pack/filebeat/module/okta/system/config/input.yml b/x-pack/filebeat/module/okta/system/config/input.yml index d824a23a010..cf646175059 100644 --- a/x-pack/filebeat/module/okta/system/config/input.yml +++ b/x-pack/filebeat/module/okta/system/config/input.yml @@ -26,7 +26,7 @@ exclude_files: [".gz$"] {{ end }} tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "cloud" }} +publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} processors: - script: diff --git a/x-pack/filebeat/module/okta/system/manifest.yml b/x-pack/filebeat/module/okta/system/manifest.yml index b07590b8771..b5dc38bc55c 100644 --- a/x-pack/filebeat/module/okta/system/manifest.yml +++ b/x-pack/filebeat/module/okta/system/manifest.yml @@ -47,7 +47,7 @@ var: default: |- {} - name: tags - default: [cloud] + default: [forwarded] input: config/input.yml ingest_pipeline: ingest/pipeline.yml diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json index 56d698198d5..c85eeff2148 100644 --- a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json +++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json @@ -63,7 +63,7 @@ "source.user.full_name": "xxxxxx", "source.user.id": "00u1abvz4pYqdM8ms4x6", "tags": [ - "cloud" + "forwarded" ], "user_agent.device.name": "Other", "user_agent.name": "Firefox", @@ -138,7 +138,7 @@ "source.user.full_name": "xxxxxx", "source.user.id": "00u1abvz4pYqdM8ms4x6", "tags": [ - "cloud" + "forwarded" ], "user_agent.device.name": "Other", "user_agent.name": "Firefox", @@ -228,7 +228,7 @@ "source.user.full_name": "xxxxxx", "source.user.id": "00u1abvz4pYqdM8ms4x6", "tags": [ - "cloud" + "forwarded" ], "user_agent.device.name": "Other", "user_agent.name": "Firefox", From 540ab49d50c3af9d7f17e301228ac8c38dfd09f8 Mon Sep 17 00:00:00 2001 From: Andrew Kroh Date: Thu, 14 May 2020 13:54:24 -0400 Subject: [PATCH 3/3] Fix test case for fileset templates --- filebeat/fileset/fileset_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/filebeat/fileset/fileset_test.go b/filebeat/fileset/fileset_test.go index e7865074d8d..4a8087af2b4 100644 --- a/filebeat/fileset/fileset_test.go +++ b/filebeat/fileset/fileset_test.go @@ -288,6 +288,7 @@ func TestGetTemplateFunctions(t *testing.T) { templateFunctions, err := getTemplateFunctions(vars) assert.NoError(t, err) assert.IsType(t, template.FuncMap{}, templateFunctions) - assert.Len(t, templateFunctions, 1) + assert.Contains(t, templateFunctions, "inList") + assert.Contains(t, templateFunctions, "tojson") assert.Contains(t, templateFunctions, "IngestPipeline") }