diff --git a/packages/system/changelog.yml b/packages/system/changelog.yml index 73982e5a846..a4b595a4ef1 100644 --- a/packages/system/changelog.yml +++ b/packages/system/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.13.0" + changes: + - description: Add parent process ID to security event for new process creation. + type: enhancement + link: https://github.com/elastic/integrations/pull/2966 - version: "1.12.1" changes: - description: Add documentation for multi-fields diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json index bdce1e86300..27f654731a6 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth-ubuntu1204.log-expected.json @@ -1,4457 +1,4335 @@ { "expected": [ { + "@timestamp": "2022-02-09T21:19:40.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "subsystem request for sftp by user vagrant", "process": { "name": "sshd", "pid": 8317 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-09T21:19:40.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806419610Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "subsystem request for sftp by user vagrant", "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-09T21:19:40.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sudo" }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/0", + "command": "/bin/sh -c echo BECOME-SUCCESS-lhspyyxxlfzpytwsebjoegenjxyjombo; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/ \u003e/dev/null 2\u003e\u00261", "pwd": "/home/vagrant", - "user": "root", - "command": "/bin/sh -c echo BECOME-SUCCESS-lhspyyxxlfzpytwsebjoegenjxyjombo; LANG=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 /usr/bin/python /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/get_url; rm -rf /home/vagrant/.ansible/tmp/ansible-tmp-1486675177.72-26828938879074/ \u003e/dev/null 2\u003e\u00261" + "tty": "pts/0", + "user": "root" } } }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { "@timestamp": "2022-02-09T21:19:40.000Z", - "related": { - "user": [ - "vagrant", - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.806422655Z", - "timezone": "+0000", - "kind": "event" - }, - "user": { - "name": "vagrant", - "effective": { - "name": "root" - } - } - }, - { + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-09T21:19:40.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806423697Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "user": { - "name": "vagrant", "effective": { "name": "root" }, - "id": "1000" + "id": "1000", + "name": "vagrant" } }, { + "@timestamp": "2022-02-09T21:19:41.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-09T21:19:41.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806424602Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-09T21:21:02.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sudo" }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/0", + "command": "/bin/sh -c echo BECOME-SUCCESS-lwzhcvorajmjyxsrqydafzapoeescwaf; rc=flag; [ -r /etc/metricbeat/metricbeat.yml ] || rc=2; [ -f /etc/metricbeat/metricbeat.yml ] || rc=1; [ -d /etc/metricbeat/metricbeat.yml ] \u0026\u0026 rc=3; python -V 2\u003e/dev/null || rc=4; [ x\"$rc\" != \"xflag\" ] \u0026\u0026 echo \"${rc} \"/etc/metricbeat/metricbeat.yml \u0026\u0026 exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();#012afile = open(\"'/etc/metricbeat/metricbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) \u003e 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2\u003e/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha();#012afile = open(\"'/etc/metricbeat/metricbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) \u003e 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2\u003e/dev/null) || (echo '0", "pwd": "/home/vagrant", - "user": "root", - "command": "/bin/sh -c echo BECOME-SUCCESS-lwzhcvorajmjyxsrqydafzapoeescwaf; rc=flag; [ -r /etc/metricbeat/metricbeat.yml ] || rc=2; [ -f /etc/metricbeat/metricbeat.yml ] || rc=1; [ -d /etc/metricbeat/metricbeat.yml ] \u0026\u0026 rc=3; python -V 2\u003e/dev/null || rc=4; [ x\"$rc\" != \"xflag\" ] \u0026\u0026 echo \"${rc} \"/etc/metricbeat/metricbeat.yml \u0026\u0026 exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();#012afile = open(\"'/etc/metricbeat/metricbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) \u003e 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2\u003e/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha();#012afile = open(\"'/etc/metricbeat/metricbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) \u003e 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2\u003e/dev/null) || (echo '0" + "tty": "pts/0", + "user": "root" } } }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { "@timestamp": "2022-02-09T21:21:02.000Z", - "related": { - "user": [ - "vagrant", - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.806425477Z", - "timezone": "+0000", - "kind": "event" - }, - "user": { - "name": "vagrant", - "effective": { - "name": "root" - } - } - }, - { + "message": " vagrant : (command continued) '/etc/metricbeat/metricbeat.yml)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-09T21:21:02.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-09T21:21:02.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.806426362Z", - "timezone": "+0000", - "kind": "event" - }, - "message": " vagrant : (command continued) '/etc/metricbeat/metricbeat.yml)" - }, - { + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-09T21:21:02.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806427234Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "user": { - "name": "vagrant", "effective": { "name": "root" }, - "id": "1000" + "id": "1000", + "name": "vagrant" } }, { - "process": { - "name": "sudo" - }, - "system": { - "auth": {} - }, "@timestamp": "2022-02-09T21:21:02.000Z", - "related": { - "user": [ - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.806428108Z", - "timezone": "+0000", - "kind": "event" - }, "message": "pam_unix(sudo:session): session closed for user root", - "user": { - "name": "root" - } - }, - { "process": { - "name": "sshd", - "pid": 1332 - }, - "system": { - "auth": {} + "name": "sudo" }, - "@timestamp": "2022-02-22T10:21:42.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2022-02-22T10:21:42.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.806428995Z", - "timezone": "+0000", - "kind": "event" - }, "message": "subsystem request for sftp by user vagrant", + "process": { + "name": "sshd", + "pid": 1332 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-22T10:21:43.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "message": "last message repeated 2 times", "process": { "name": "sshd", "pid": 1332 }, "system": { "auth": {} - }, - "@timestamp": "2022-02-22T10:21:43.000Z", + } + }, + { + "@timestamp": "2022-02-22T10:24:49.000Z", "ecs": { "version": "8.0.0" }, "event": { - "ingested": "2022-01-12T04:29:55.806429876Z", - "timezone": "+0000", - "kind": "event" + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" }, - "message": "last message repeated 2 times" - }, - { "process": { "name": "sudo" }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/0", + "command": "/bin/sh -c echo BECOME-SUCCESS-ippzqmywwjlstxlqlpyxbnzzgeigarma; rc=flag; [ -r /etc/heartbeat/heartbeat.yml ] || rc=2; [ -f /etc/heartbeat/heartbeat.yml ] || rc=1; [ -d /etc/heartbeat/heartbeat.yml ] \u0026\u0026 rc=3; python -V 2\u003e/dev/null || rc=4; [ x\"$rc\" != \"xflag\" ] \u0026\u0026 echo \"${rc} \"/etc/heartbeat/heartbeat.yml \u0026\u0026 exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();#012afile = open(\"'/etc/heartbeat/heartbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) \u003e 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2\u003e/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha();#012afile = open(\"'/etc/heartbeat/heartbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) \u003e 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2\u003e/dev/null) || (echo '0", "pwd": "/home/vagrant", - "user": "root", - "command": "/bin/sh -c echo BECOME-SUCCESS-ippzqmywwjlstxlqlpyxbnzzgeigarma; rc=flag; [ -r /etc/heartbeat/heartbeat.yml ] || rc=2; [ -f /etc/heartbeat/heartbeat.yml ] || rc=1; [ -d /etc/heartbeat/heartbeat.yml ] \u0026\u0026 rc=3; python -V 2\u003e/dev/null || rc=4; [ x\"$rc\" != \"xflag\" ] \u0026\u0026 echo \"${rc} \"/etc/heartbeat/heartbeat.yml \u0026\u0026 exit 0; (python -c 'import hashlib; BLOCKSIZE = 65536; hasher = hashlib.sha1();#012afile = open(\"'/etc/heartbeat/heartbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) \u003e 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2\u003e/dev/null) || (python -c 'import sha; BLOCKSIZE = 65536; hasher = sha.sha();#012afile = open(\"'/etc/heartbeat/heartbeat.yml'\", \"rb\")#012buf = afile.read(BLOCKSIZE)#012while len(buf) \u003e 0:#012#011hasher.update(buf)#012#011buf = afile.read(BLOCKSIZE)#012afile.close()#012print(hasher.hexdigest())' 2\u003e/dev/null) || (echo '0" + "tty": "pts/0", + "user": "root" } } }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { "@timestamp": "2022-02-22T10:24:49.000Z", - "related": { - "user": [ - "vagrant", - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.806430769Z", - "timezone": "+0000", - "kind": "event" - }, - "user": { - "name": "vagrant", - "effective": { - "name": "root" - } - } - }, - { + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T10:24:49.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806431800Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "user": { - "name": "vagrant", "effective": { "name": "root" }, - "id": "1000" + "id": "1000", + "name": "vagrant" } }, { + "@timestamp": "2022-02-22T10:26:52.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", "process": { "name": "sshd", "pid": 1332 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T10:26:52.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-22T10:26:52.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.806432706Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "Received disconnect from 10.0.2.2: 11: disconnected by user" - }, - { + "message": "pam_unix(sshd:session): session closed for user vagrant", "process": { "name": "sshd", "pid": 1317 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T10:26:52.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806433577Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sshd:session): session closed for user vagrant", "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-22T10:49:54.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "authentication_success", + "info" + ] + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sshd", "pid": 3007 }, - "system": { - "auth": { - "ssh": { - "method": "publickey", - "event": "Accepted" - } - } - }, - "@timestamp": "2022-02-22T10:49:54.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" ], "ip": [ "10.0.2.2" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, "source": { - "port": 52059, - "ip": "10.0.2.2" + "ip": "10.0.2.2", + "port": 52059 }, - "event": { - "ingested": "2022-01-12T04:29:55.806434460Z", - "timezone": "+0000", - "kind": "event", - "action": "ssh_login", - "type": [ - "authentication_success", - "info" - ], - "category": [ - "authentication", - "session" - ], - "outcome": "success" + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } }, "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-22T10:49:54.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", "process": { "name": "sshd", "pid": 3007 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T10:49:54.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806435329Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", "user": { - "name": "", "effective": { "name": "vagrant" }, - "id": "0" + "id": "0", + "name": "" } }, { + "@timestamp": "2022-02-22T10:50:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sudo" }, - "system": { - "auth": { - "sudo": { - "tty": "pts/0", - "pwd": "/home/vagrant", - "user": "root", - "command": "/usr/bin/vi /etc/apt/sources.list.d/elastic.list" - } - } - }, - "@timestamp": "2022-02-22T10:50:01.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806436321Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": { + "sudo": { + "command": "/usr/bin/vi /etc/apt/sources.list.d/elastic.list", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } }, "user": { - "name": "vagrant", "effective": { "name": "root" - } + }, + "name": "vagrant" } }, { + "@timestamp": "2022-02-22T10:50:17.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sudo" }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/0", + "command": "/usr/bin/apt-get update", "pwd": "/home/vagrant", - "user": "root", - "command": "/usr/bin/apt-get update" + "tty": "pts/0", + "user": "root" } } }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { "@timestamp": "2022-02-22T10:50:17.000Z", - "related": { - "user": [ - "vagrant", - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.806437206Z", - "timezone": "+0000", - "kind": "event" - }, - "user": { - "name": "vagrant", - "effective": { - "name": "root" - } - } - }, - { + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T10:50:17.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806438080Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "user": { - "name": "vagrant", "effective": { "name": "root" }, - "id": "1000" + "id": "1000", + "name": "vagrant" } }, { + "@timestamp": "2022-02-22T10:50:28.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T10:50:28.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806438946Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-22T11:04:28.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "authentication_success", + "info" + ] + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sshd", "pid": 3403 }, - "system": { - "auth": { - "ssh": { - "method": "publickey", - "event": "Accepted" - } - } - }, - "@timestamp": "2022-02-22T11:04:28.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" ], "ip": [ "10.0.2.2" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, "source": { - "port": 52321, - "ip": "10.0.2.2" + "ip": "10.0.2.2", + "port": 52321 }, - "event": { - "ingested": "2022-01-12T04:29:55.806439824Z", - "timezone": "+0000", - "kind": "event", - "action": "ssh_login", - "type": [ - "authentication_success", - "info" - ], - "category": [ - "authentication", - "session" - ], - "outcome": "success" + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } }, "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-22T11:04:28.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", "process": { "name": "sshd", "pid": 3403 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T11:04:28.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806440723Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", "user": { - "name": "", "effective": { "name": "vagrant" }, - "id": "0" + "id": "0", + "name": "" } }, { + "@timestamp": "2022-02-22T11:04:32.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", "process": { "name": "sshd", "pid": 3418 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T11:04:32.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-22T11:04:32.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.806441601Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "Received disconnect from 10.0.2.2: 11: disconnected by user" - }, - { + "message": "pam_unix(sshd:session): session closed for user vagrant", "process": { "name": "sshd", "pid": 3403 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T11:04:32.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806442570Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sshd:session): session closed for user vagrant", "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-22T11:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", "process": { "name": "CRON", "pid": 3448 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T11:17:01.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806443402Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)", "user": { - "name": "", "effective": { "name": "root" }, - "id": "0" + "id": "0", + "name": "" } }, { + "@timestamp": "2022-02-22T11:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session closed for user root", "process": { "name": "CRON", "pid": 3448 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T11:17:01.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806444233Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(cron:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-22T11:21:21.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "authentication_success", + "info" + ] + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sshd", "pid": 3452 }, - "system": { - "auth": { - "ssh": { - "method": "publickey", - "event": "Accepted" - } - } - }, - "@timestamp": "2022-02-22T11:21:21.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" ], "ip": [ "10.0.2.2" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, "source": { - "port": 52747, - "ip": "10.0.2.2" + "ip": "10.0.2.2", + "port": 52747 }, - "event": { - "ingested": "2022-01-12T04:29:55.806445060Z", - "timezone": "+0000", - "kind": "event", - "action": "ssh_login", - "type": [ - "authentication_success", - "info" - ], - "category": [ - "authentication", - "session" - ], - "outcome": "success" + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } }, "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-22T11:21:21.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", "process": { "name": "sshd", "pid": 3452 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T11:21:21.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806445877Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", "user": { - "name": "", "effective": { "name": "vagrant" }, - "id": "0" + "id": "0", + "name": "" } }, { + "@timestamp": "2022-02-22T11:21:24.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", "process": { "name": "sshd", "pid": 3467 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T11:21:24.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-22T11:21:24.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.806446707Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "Received disconnect from 10.0.2.2: 11: disconnected by user" - }, - { + "message": "pam_unix(sshd:session): session closed for user vagrant", "process": { "name": "sshd", "pid": 3452 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T11:21:24.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806447535Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sshd:session): session closed for user vagrant", "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-22T11:24:43.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sudo" }, - "system": { - "auth": { - "sudo": { - "tty": "pts/0", - "pwd": "/home/vagrant", - "user": "root", - "command": "/usr/bin/vi /etc/filebeat/filebeat.full.yml" - } - } - }, - "@timestamp": "2022-02-22T11:24:43.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806448394Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": { + "sudo": { + "command": "/usr/bin/vi /etc/filebeat/filebeat.full.yml", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } }, "user": { - "name": "vagrant", "effective": { "name": "root" - } + }, + "name": "vagrant" } }, { + "@timestamp": "2022-02-22T11:24:43.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T11:24:43.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806449228Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "user": { - "name": "vagrant", "effective": { "name": "root" }, - "id": "1000" + "id": "1000", + "name": "vagrant" } }, { + "@timestamp": "2022-02-22T23:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", "process": { "name": "CRON", "pid": 3760 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T23:17:01.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806450056Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)", "user": { - "name": "", "effective": { "name": "root" }, - "id": "0" + "id": "0", + "name": "" } }, { + "@timestamp": "2022-02-22T23:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session closed for user root", "process": { "name": "CRON", "pid": 3760 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T23:17:01.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806450880Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(cron:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-22T23:29:50.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T23:29:50.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806451855Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-22T23:29:50.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session closed for user vagrant", "process": { "name": "sshd", "pid": 3007 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T23:29:50.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806452679Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sshd:session): session closed for user vagrant", "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-23T19:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", "process": { "name": "CRON", "pid": 3938 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-23T19:17:01.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806453511Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)", "user": { - "name": "", "effective": { "name": "root" }, - "id": "0" + "id": "0", + "name": "" } }, { + "@timestamp": "2022-02-23T19:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session closed for user root", "process": { "name": "CRON", "pid": 3938 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-23T19:17:01.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806454397Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(cron:session): session closed for user root", "user": { "name": "root" } }, { - "process": { - "name": "sshd", - "pid": 3945 + "@timestamp": "2022-02-23T19:26:35.000Z", + "ecs": { + "version": "8.0.0" }, - "system": { - "auth": { - "ssh": { - "method": "publickey", - "event": "Accepted" - } - } + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "authentication_success", + "info" + ] + }, + "host": { + "hostname": "precise32" + }, + "process": { + "name": "sshd", + "pid": 3945 }, - "@timestamp": "2022-02-23T19:26:35.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" ], "ip": [ "10.0.2.2" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, "source": { - "port": 58363, - "ip": "10.0.2.2" + "ip": "10.0.2.2", + "port": 58363 }, - "event": { - "ingested": "2022-01-12T04:29:55.806455219Z", - "timezone": "+0000", - "kind": "event", - "action": "ssh_login", - "type": [ - "authentication_success", - "info" - ], - "category": [ - "authentication", - "session" - ], - "outcome": "success" + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } }, "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-23T19:26:35.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", "process": { "name": "sshd", "pid": 3945 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-23T19:26:35.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806456054Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", "user": { - "name": "", "effective": { "name": "vagrant" }, - "id": "0" + "id": "0", + "name": "" } }, { + "@timestamp": "2022-02-23T20:05:18.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sudo" }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/0", + "command": "/usr/bin/less /var/log/auth.log", "pwd": "/home/vagrant", - "user": "root", - "command": "/usr/bin/less /var/log/auth.log" + "tty": "pts/0", + "user": "root" } } }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { "@timestamp": "2022-02-23T20:05:18.000Z", - "related": { - "user": [ - "vagrant", - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.806456879Z", - "timezone": "+0000", - "kind": "event" - }, - "user": { - "name": "vagrant", - "effective": { - "name": "root" - } - } - }, - { + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-23T20:05:18.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806457697Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "user": { - "name": "vagrant", "effective": { "name": "root" }, - "id": "1000" + "id": "1000", + "name": "vagrant" } }, { + "@timestamp": "2022-02-23T20:15:04.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-23T20:15:04.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806458526Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-23T20:15:09.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", "process": { "name": "sshd", "pid": 3960 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-23T20:15:09.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-23T20:15:09.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.806459351Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "Received disconnect from 10.0.2.2: 11: disconnected by user" - }, - { + "message": "pam_unix(sshd:session): session closed for user vagrant", "process": { "name": "sshd", "pid": 3945 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-23T20:15:09.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806460169Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sshd:session): session closed for user vagrant", "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-23T23:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", "process": { "name": "CRON", "pid": 4170 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-23T23:17:01.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806460985Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)", "user": { - "name": "", "effective": { "name": "root" }, - "id": "0" + "id": "0", + "name": "" } }, { + "@timestamp": "2022-02-23T23:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session closed for user root", "process": { "name": "CRON", "pid": 4170 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-23T23:17:01.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806461803Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(cron:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-24T00:11:15.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "authentication_success", + "info" + ] + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sshd", "pid": 4185 }, - "system": { - "auth": { - "ssh": { - "method": "publickey", - "event": "Accepted" - } - } - }, - "@timestamp": "2022-02-24T00:11:15.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" ], "ip": [ "10.0.2.2" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, "source": { - "port": 60839, - "ip": "10.0.2.2" + "ip": "10.0.2.2", + "port": 60839 }, - "event": { - "ingested": "2022-01-12T04:29:55.806462646Z", - "timezone": "+0000", - "kind": "event", - "action": "ssh_login", - "type": [ - "authentication_success", - "info" - ], - "category": [ - "authentication", - "session" - ], - "outcome": "success" + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } }, "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-24T00:11:15.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", "process": { "name": "sshd", "pid": 4185 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:11:15.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806463476Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", "user": { - "name": "", "effective": { "name": "vagrant" }, - "id": "0" + "id": "0", + "name": "" } }, { + "@timestamp": "2022-02-24T00:11:24.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "authentication_success", + "info" + ] + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sshd", "pid": 4302 }, - "system": { - "auth": { - "ssh": { - "method": "publickey", - "event": "Accepted" - } - } - }, - "@timestamp": "2022-02-24T00:11:24.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" ], "ip": [ "10.0.2.2" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, "source": { - "port": 60840, - "ip": "10.0.2.2" + "ip": "10.0.2.2", + "port": 60840 }, - "event": { - "ingested": "2022-01-12T04:29:55.806464310Z", - "timezone": "+0000", - "kind": "event", - "action": "ssh_login", - "type": [ - "authentication_success", - "info" - ], - "category": [ - "authentication", - "session" - ], - "outcome": "success" + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } }, "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-24T00:11:24.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", "process": { "name": "sshd", "pid": 4302 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:11:24.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806465263Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", "user": { - "name": "", "effective": { "name": "vagrant" }, - "id": "0" + "id": "0", + "name": "" } }, { + "@timestamp": "2022-02-24T00:11:26.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sudo" }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/1", + "command": "/bin/bash", "pwd": "/home/vagrant", - "user": "root", - "command": "/bin/bash" + "tty": "pts/1", + "user": "root" } } }, - "@timestamp": "2022-02-24T00:11:26.000Z", - "related": { - "user": [ - "vagrant", - "root" - ], - "hosts": [ - "precise32" - ] - }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806466089Z", - "timezone": "+0000", - "kind": "event" - }, "user": { - "name": "vagrant", "effective": { "name": "root" - } + }, + "name": "vagrant" } }, { + "@timestamp": "2022-02-24T00:11:26.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:11:26.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806466924Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "user": { - "name": "vagrant", "effective": { "name": "root" }, - "id": "1000" + "id": "1000", + "name": "vagrant" } }, { + "@timestamp": "2022-02-24T00:12:02.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "iam" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "group", + "creation" + ] + }, + "host": { + "hostname": "precise32" + }, + "message": "group added to /etc/group: name=tsg, GID=1003", "process": { "name": "groupadd", "pid": 4480 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:12:02.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-24T00:12:02.000Z", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "precise32" - }, "event": { - "ingested": "2022-01-12T04:29:55.806467753Z", "category": [ "iam" ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", "type": [ "group", "creation" - ], - "timezone": "+0000", - "kind": "event", - "outcome": "success" + ] }, - "message": "group added to /etc/group: name=tsg, GID=1003" - }, - { + "host": { + "hostname": "precise32" + }, + "message": "group added to /etc/gshadow: name=tsg", "process": { "name": "groupadd", "pid": 4480 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:12:02.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-24T00:12:02.000Z", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "precise32" - }, "event": { - "ingested": "2022-01-12T04:29:55.806468576Z", "category": [ "iam" ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", "type": [ "group", "creation" - ], - "timezone": "+0000", - "kind": "event", - "outcome": "success" + ] + }, + "group": { + "id": "1003", + "name": "tsg" + }, + "host": { + "hostname": "precise32" }, - "message": "group added to /etc/gshadow: name=tsg" - }, - { "process": { "name": "groupadd", "pid": 4480 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:12:02.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-24T00:12:02.000Z", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "precise32" - }, "event": { - "ingested": "2022-01-12T04:29:55.806469407Z", "category": [ "iam" ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", "type": [ - "group", + "user", "creation" - ], - "timezone": "+0000", - "kind": "event", - "outcome": "success" + ] }, "group": { - "name": "tsg", "id": "1003" - } - }, - { + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "useradd", "pid": 4484 }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "tsg" + ] + }, "system": { "auth": { "useradd": { - "shell": "/bin/bash", - "home": "/home/tsg" + "home": "/home/tsg", + "shell": "/bin/bash" } } }, - "@timestamp": "2022-02-24T00:12:02.000Z", - "related": { - "user": [ - "tsg" - ], - "hosts": [ - "precise32" - ] - }, + "user": { + "id": "1001", + "name": "tsg" + } + }, + { + "@timestamp": "2022-02-24T00:12:07.000Z", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "precise32" - }, "event": { - "ingested": "2022-01-12T04:29:55.806470249Z", - "category": [ - "iam" - ], - "type": [ - "user", - "creation" - ], - "timezone": "+0000", "kind": "event", - "outcome": "success" + "timezone": "+0000" }, - "user": { - "name": "tsg", - "id": "1001" + "host": { + "hostname": "precise32" }, - "group": { - "id": "1003" - } - }, - { + "message": "pam_unix(passwd:chauthtok): password changed for tsg", "process": { "name": "passwd", "pid": 4491 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:12:07.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-24T00:12:10.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.806471074Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "pam_unix(passwd:chauthtok): password changed for tsg" - }, - { + "message": "changed user 'tsg' information", "process": { "name": "chfn", "pid": 4492 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:12:10.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-24T00:12:14.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.806471912Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "changed user 'tsg' information" - }, - { + "message": "Successful su for tsg by root", "process": { "name": "su", "pid": 4496 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:12:14.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-24T00:12:14.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.806472736Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "Successful su for tsg by root" - }, - { + "message": "+ /dev/pts/1 root:tsg", "process": { "name": "su", "pid": 4496 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:12:14.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-24T00:12:14.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.806473561Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "+ /dev/pts/1 root:tsg" - }, - { + "message": "pam_unix(su:session): session opened for user tsg by vagrant(uid=0)", "process": { "name": "su", "pid": 4496 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:12:14.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "tsg" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.806474390Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(su:session): session opened for user tsg by vagrant(uid=0)", "user": { - "name": "vagrant", "effective": { "name": "tsg" }, - "id": "0" + "id": "0", + "name": "vagrant" } }, { + "@timestamp": "2022-02-24T00:12:20.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:auth): authentication failure; logname=vagrant uid=1001 euid=0 tty=/dev/pts/1 ruser=tsg rhost= user=tsg", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:12:20.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-24T00:12:37.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817425949Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "pam_unix(sudo:auth): authentication failure; logname=vagrant uid=1001 euid=0 tty=/dev/pts/1 ruser=tsg rhost= user=tsg" - }, - { "process": { "name": "sudo" }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/0", + "command": "/bin/cat /var/log/auth.log", "pwd": "/home/vagrant", - "user": "root", - "command": "/bin/cat /var/log/auth.log" + "tty": "pts/0", + "user": "root" } } }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { "@timestamp": "2022-02-24T00:12:37.000Z", - "related": { - "user": [ - "vagrant", - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817441600Z", - "timezone": "+0000", - "kind": "event" - }, - "user": { - "name": "vagrant", - "effective": { - "name": "root" - } - } - }, - { + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:12:37.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817443034Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "user": { - "name": "vagrant", "effective": { "name": "root" }, - "id": "1000" + "id": "1000", + "name": "vagrant" } }, { + "@timestamp": "2022-02-24T00:12:37.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:12:37.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817443991Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-24T00:12:42.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sudo" }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "tsg", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/1", - "pwd": "/home/vagrant", + "command": "/bin/ls", "error": "3 incorrect password attempts", - "user": "root", - "command": "/bin/ls" + "pwd": "/home/vagrant", + "tty": "pts/1", + "user": "root" } } }, + "user": { + "effective": { + "name": "root" + }, + "name": "tsg" + } + }, + { "@timestamp": "2022-02-24T00:12:42.000Z", - "related": { - "user": [ - "tsg", - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817445075Z", - "timezone": "+0000", - "kind": "event" - }, - "user": { - "name": "tsg", - "effective": { - "name": "root" - } - } - }, - { + "message": "unable to execute /usr/sbin/sendmail: No such file or directory", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:12:42.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-24T00:12:50.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817445998Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "unable to execute /usr/sbin/sendmail: No such file or directory" - }, - { "process": { "name": "sudo" }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/0", + "command": "/bin/cat /var/log/auth.log", "pwd": "/home/vagrant", - "user": "root", - "command": "/bin/cat /var/log/auth.log" + "tty": "pts/0", + "user": "root" } } }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { "@timestamp": "2022-02-24T00:12:50.000Z", - "related": { - "user": [ - "vagrant", - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817446890Z", - "timezone": "+0000", - "kind": "event" - }, - "user": { - "name": "vagrant", - "effective": { - "name": "root" - } - } - }, - { + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:12:50.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817447780Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "user": { - "name": "vagrant", "effective": { "name": "root" }, - "id": "1000" + "id": "1000", + "name": "vagrant" } }, { + "@timestamp": "2022-02-24T00:12:50.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:12:50.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817448664Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-24T00:13:02.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sudo" }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "tsg", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/1", - "pwd": "/home/vagrant", + "command": "/bin/ls", "error": "user NOT in sudoers", - "user": "root", - "command": "/bin/ls" + "pwd": "/home/vagrant", + "tty": "pts/1", + "user": "root" } } }, + "user": { + "effective": { + "name": "root" + }, + "name": "tsg" + } + }, + { "@timestamp": "2022-02-24T00:13:02.000Z", - "related": { - "user": [ - "tsg", - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817449624Z", - "timezone": "+0000", - "kind": "event" - }, - "user": { - "name": "tsg", - "effective": { - "name": "root" - } - } - }, - { + "message": "unable to execute /usr/sbin/sendmail: No such file or directory", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:13:02.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-24T00:13:06.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817450581Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "unable to execute /usr/sbin/sendmail: No such file or directory" - }, - { "process": { "name": "sudo" }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/0", + "command": "/bin/cat /var/log/auth.log", "pwd": "/home/vagrant", - "user": "root", - "command": "/bin/cat /var/log/auth.log" + "tty": "pts/0", + "user": "root" } } }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { "@timestamp": "2022-02-24T00:13:06.000Z", - "related": { - "user": [ - "vagrant", - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817451459Z", - "timezone": "+0000", - "kind": "event" - }, - "user": { - "name": "vagrant", - "effective": { - "name": "root" - } - } - }, - { + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:13:06.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817452651Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "user": { - "name": "vagrant", "effective": { "name": "root" }, - "id": "1000" + "id": "1000", + "name": "vagrant" } }, { + "@timestamp": "2022-02-24T00:13:06.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:13:06.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817453558Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-24T00:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", "process": { "name": "CRON", "pid": 4588 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:17:01.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" + "system": { + "auth": {} }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817454835Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)", "user": { - "name": "", "effective": { "name": "root" }, - "id": "0" + "id": "0", + "name": "" } }, { + "@timestamp": "2022-02-24T00:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session closed for user root", "process": { "name": "CRON", "pid": 4588 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:17:01.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817455760Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(cron:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-24T00:45:47.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(su:session): session closed for user tsg", "process": { "name": "su", "pid": 4496 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:45:47.000Z", "related": { - "user": [ - "tsg" - ], "hosts": [ "precise32" + ], + "user": [ + "tsg" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817456639Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(su:session): session closed for user tsg", "user": { "name": "tsg" } }, { + "@timestamp": "2022-02-24T00:45:48.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:45:48.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817457524Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-24T00:45:49.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", "process": { "name": "sshd", "pid": 4317 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:45:49.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-24T00:45:49.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817458400Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "Received disconnect from 10.0.2.2: 11: disconnected by user" - }, - { + "message": "pam_unix(sshd:session): session closed for user vagrant", "process": { "name": "sshd", "pid": 4302 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:45:49.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817459285Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sshd:session): session closed for user vagrant", "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-24T00:46:32.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "authentication_success", + "info" + ] + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sshd", "pid": 4598 }, - "system": { - "auth": { - "ssh": { - "method": "publickey", - "event": "Accepted" - } - } - }, - "@timestamp": "2022-02-24T00:46:32.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" ], "ip": [ "10.0.2.2" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, "source": { - "port": 61852, - "ip": "10.0.2.2" + "ip": "10.0.2.2", + "port": 61852 }, - "event": { - "ingested": "2022-01-12T04:29:55.817460253Z", - "timezone": "+0000", - "kind": "event", - "action": "ssh_login", - "type": [ - "authentication_success", - "info" - ], - "category": [ - "authentication", - "session" - ], - "outcome": "success" + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } }, "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-24T00:46:32.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", "process": { "name": "sshd", "pid": 4598 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:46:32.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817461126Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", "user": { - "name": "", "effective": { "name": "vagrant" }, - "id": "0" + "id": "0", + "name": "" } }, { + "@timestamp": "2022-02-24T00:46:32.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "Received disconnect from 10.0.2.2: 11: disconnected by user", "process": { "name": "sshd", "pid": 4613 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:46:32.000Z", "related": { "hosts": [ "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-24T00:46:32.000Z", + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-12T04:29:55.817462004Z", - "timezone": "+0000", - "kind": "event" + "kind": "event", + "timezone": "+0000" }, - "message": "Received disconnect from 10.0.2.2: 11: disconnected by user" - }, - { + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session closed for user vagrant", "process": { "name": "sshd", "pid": 4598 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T00:46:32.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "vagrant" ] }, + "system": { + "auth": {} + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2022-02-24T01:05:42.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817462886Z", - "timezone": "+0000", - "kind": "event" - }, "message": "pam_unix(sshd:session): session closed for user vagrant", - "user": { - "name": "vagrant" - } - }, - { "process": { "name": "sshd", "pid": 4185 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T01:05:42.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817463795Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sshd:session): session closed for user vagrant", "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-24T08:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", "process": { "name": "CRON", "pid": 4626 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T08:17:01.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817464671Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)", "user": { - "name": "", "effective": { "name": "root" }, - "id": "0" + "id": "0", + "name": "" } }, { + "@timestamp": "2022-02-24T08:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session closed for user root", "process": { "name": "CRON", "pid": 4626 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T08:17:01.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817465617Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(cron:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-24T09:17:01.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(cron:session): session opened for user root by (uid=0)", "process": { "name": "CRON", "pid": 4642 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:17:01.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817466597Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(cron:session): session opened for user root by (uid=0)", "user": { - "name": "", "effective": { "name": "root" }, - "id": "0" + "id": "0", + "name": "" } }, { - "process": { - "name": "CRON", - "pid": 4642 - }, - "system": { - "auth": {} - }, "@timestamp": "2022-02-24T09:17:01.000Z", - "related": { - "user": [ - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817467469Z", - "timezone": "+0000", - "kind": "event" - }, "message": "pam_unix(cron:session): session closed for user root", - "user": { - "name": "root" - } - }, - { "process": { - "name": "sshd", - "pid": 4645 - }, - "system": { - "auth": { - "ssh": { - "method": "publickey", - "event": "Accepted" - } - } + "name": "CRON", + "pid": 4642 }, - "@timestamp": "2022-02-24T09:18:35.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" ], - "ip": [ - "10.0.2.2" + "user": [ + "root" ] }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2022-02-24T09:18:35.000Z", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "precise32" - }, - "source": { - "port": 53513, - "ip": "10.0.2.2" - }, "event": { - "ingested": "2022-01-12T04:29:55.817468374Z", - "timezone": "+0000", - "kind": "event", "action": "ssh_login", - "type": [ - "authentication_success", - "info" - ], "category": [ "authentication", "session" ], - "outcome": "success" + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "authentication_success", + "info" + ] + }, + "host": { + "hostname": "precise32" }, - "user": { - "name": "vagrant" - } - }, - { "process": { "name": "sshd", "pid": 4645 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:18:35.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "ip": [ + "10.0.2.2" + ], + "user": [ + "vagrant" ] }, + "source": { + "ip": "10.0.2.2", + "port": 53513 + }, + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } + }, + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2022-02-24T09:18:35.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817469253Z", - "timezone": "+0000", - "kind": "event" - }, "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", + "process": { + "name": "sshd", + "pid": 4645 + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant" + ] + }, + "system": { + "auth": {} + }, "user": { - "name": "", "effective": { "name": "vagrant" }, - "id": "0" + "id": "0", + "name": "" } }, { + "@timestamp": "2022-02-24T09:18:40.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sudo" }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/0", + "command": "/usr/bin/apt-get install nginx", "pwd": "/home/vagrant", - "user": "root", - "command": "/usr/bin/apt-get install nginx" + "tty": "pts/0", + "user": "root" } } }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { "@timestamp": "2022-02-24T09:18:40.000Z", - "related": { - "user": [ - "vagrant", - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817470135Z", - "timezone": "+0000", - "kind": "event" - }, - "user": { - "name": "vagrant", - "effective": { - "name": "root" - } - } - }, - { + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:18:40.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817471107Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "user": { - "name": "vagrant", "effective": { "name": "root" }, - "id": "1000" + "id": "1000", + "name": "vagrant" } }, { + "@timestamp": "2022-02-24T09:18:46.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:18:46.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817471985Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-24T09:18:53.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sudo" }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/0", + "command": "/bin/cat /var/log/auth.log", "pwd": "/home/vagrant", - "user": "root", - "command": "/bin/cat /var/log/auth.log" + "tty": "pts/0", + "user": "root" } } }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { "@timestamp": "2022-02-24T09:18:53.000Z", - "related": { - "user": [ - "vagrant", - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817472866Z", - "timezone": "+0000", - "kind": "event" - }, - "user": { - "name": "vagrant", - "effective": { - "name": "root" - } - } - }, - { + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:18:53.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817473750Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "user": { - "name": "vagrant", "effective": { "name": "root" }, - "id": "1000" + "id": "1000", + "name": "vagrant" } }, { - "process": { - "name": "sudo" - }, - "system": { - "auth": {} - }, "@timestamp": "2022-02-24T09:18:53.000Z", - "related": { - "user": [ - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817474677Z", - "timezone": "+0000", - "kind": "event" - }, "message": "pam_unix(sudo:session): session closed for user root", - "user": { - "name": "root" - } - }, - { "process": { "name": "sudo" }, - "system": { - "auth": { - "sudo": { - "tty": "pts/0", - "pwd": "/home/vagrant", - "user": "root", - "command": "/bin/cat /var/log/auth.log" - } - } - }, - "@timestamp": "2022-02-24T09:19:04.000Z", "related": { - "user": [ - "vagrant", - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, + "system": { + "auth": {} + }, + "user": { + "name": "root" + } + }, + { + "@timestamp": "2022-02-24T09:19:04.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817475575Z", - "timezone": "+0000", - "kind": "event" + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/cat /var/log/auth.log", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } }, "user": { - "name": "vagrant", "effective": { "name": "root" - } + }, + "name": "vagrant" } }, { + "@timestamp": "2022-02-24T09:19:04.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:19:04.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817476663Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "user": { - "name": "vagrant", "effective": { "name": "root" }, - "id": "1000" + "id": "1000", + "name": "vagrant" } }, { + "@timestamp": "2022-02-24T09:19:04.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:19:04.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817477549Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-24T09:19:09.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sudo" }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/0", + "command": "/bin/cat /var/log/auth.log", "pwd": "/home/vagrant", - "user": "root", - "command": "/bin/cat /var/log/auth.log" + "tty": "pts/0", + "user": "root" } } }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { "@timestamp": "2022-02-24T09:19:09.000Z", - "related": { - "user": [ - "vagrant", - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817478438Z", - "timezone": "+0000", - "kind": "event" - }, - "user": { - "name": "vagrant", - "effective": { - "name": "root" - } - } - }, - { + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:19:09.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817479321Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "user": { - "name": "vagrant", "effective": { "name": "root" }, - "id": "1000" + "id": "1000", + "name": "vagrant" } }, { + "@timestamp": "2022-02-24T09:19:09.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:19:09.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817480208Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-24T09:19:29.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sudo" }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/0", + "command": "/usr/bin/apt-get install mysql-server", "pwd": "/home/vagrant", - "user": "root", - "command": "/usr/bin/apt-get install mysql-server" + "tty": "pts/0", + "user": "root" } } }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { "@timestamp": "2022-02-24T09:19:29.000Z", - "related": { - "user": [ - "vagrant", - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817481152Z", - "timezone": "+0000", - "kind": "event" - }, - "user": { - "name": "vagrant", - "effective": { - "name": "root" - } - } - }, - { + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:19:29.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817482141Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "user": { - "name": "vagrant", "effective": { "name": "root" }, - "id": "1000" + "id": "1000", + "name": "vagrant" } }, { + "@timestamp": "2022-02-24T09:19:55.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "iam" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "group", + "creation" + ] + }, + "host": { + "hostname": "precise32" + }, + "message": "group added to /etc/group: name=mysql, GID=111", "process": { "name": "groupadd", "pid": 7996 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:19:55.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-24T09:19:55.000Z", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "precise32" - }, "event": { - "ingested": "2022-01-12T04:29:55.817483018Z", "category": [ "iam" ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", "type": [ "group", "creation" - ], - "timezone": "+0000", - "kind": "event", - "outcome": "success" + ] }, - "message": "group added to /etc/group: name=mysql, GID=111" - }, - { + "host": { + "hostname": "precise32" + }, + "message": "group added to /etc/gshadow: name=mysql", "process": { "name": "groupadd", "pid": 7996 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:19:55.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-24T09:19:55.000Z", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "precise32" - }, "event": { - "ingested": "2022-01-12T04:29:55.817483897Z", "category": [ "iam" ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", "type": [ "group", "creation" - ], - "timezone": "+0000", - "kind": "event", - "outcome": "success" + ] + }, + "group": { + "id": "111", + "name": "mysql" + }, + "host": { + "hostname": "precise32" }, - "message": "group added to /etc/gshadow: name=mysql" - }, - { "process": { "name": "groupadd", "pid": 7996 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:19:55.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-24T09:19:55.000Z", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "precise32" - }, "event": { - "ingested": "2022-01-12T04:29:55.817484774Z", "category": [ "iam" ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", "type": [ - "group", + "user", "creation" - ], - "timezone": "+0000", - "kind": "event", - "outcome": "success" + ] }, "group": { - "name": "mysql", "id": "111" - } - }, - { + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "useradd", "pid": 8002 }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "mysql" + ] + }, "system": { "auth": { "useradd": { - "shell": "/bin/false", - "home": "/nonexistent" + "home": "/nonexistent", + "shell": "/bin/false" } } }, + "user": { + "id": "106", + "name": "mysql" + } + }, + { "@timestamp": "2022-02-24T09:19:55.000Z", - "related": { - "user": [ - "mysql" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "precise32" - }, "event": { - "ingested": "2022-01-12T04:29:55.817486125Z", - "category": [ - "iam" - ], - "type": [ - "user", - "creation" - ], - "timezone": "+0000", "kind": "event", - "outcome": "success" + "timezone": "+0000" }, - "user": { - "name": "mysql", - "id": "106" + "host": { + "hostname": "precise32" }, - "group": { - "id": "111" - } - }, - { + "message": "changed password expiry for mysql", "process": { "name": "chage", "pid": 8007 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:19:55.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-24T09:19:55.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817487018Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "changed password expiry for mysql" - }, - { + "message": "changed user 'mysql' information", "process": { "name": "chfn", "pid": 8010 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:19:55.000Z", "related": { "hosts": [ "precise32" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-24T09:20:08.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817487916Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "changed user 'mysql' information" - }, - { + "message": "pam_unix(sudo:session): session closed for user root", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:20:08.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817488799Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-24T09:20:10.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sudo" }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/0", + "command": "/bin/cat /var/log/auth.log", "pwd": "/home/vagrant", - "user": "root", - "command": "/bin/cat /var/log/auth.log" + "tty": "pts/0", + "user": "root" } } }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { "@timestamp": "2022-02-24T09:20:10.000Z", - "related": { - "user": [ - "vagrant", - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817489679Z", - "timezone": "+0000", - "kind": "event" - }, - "user": { - "name": "vagrant", - "effective": { - "name": "root" - } - } - }, - { + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:20:10.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817490556Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "user": { - "name": "vagrant", "effective": { "name": "root" }, - "id": "1000" + "id": "1000", + "name": "vagrant" } }, { + "@timestamp": "2022-02-24T09:20:10.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:20:10.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817491538Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-24T09:26:29.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sudo" }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "vagrant", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/0", + "command": "/bin/cat /var/log/auth.log", "pwd": "/home/vagrant", - "user": "root", - "command": "/bin/cat /var/log/auth.log" + "tty": "pts/0", + "user": "root" } } }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { "@timestamp": "2022-02-24T09:26:29.000Z", - "related": { - "user": [ - "vagrant", - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:29:55.817492420Z", - "timezone": "+0000", - "kind": "event" - }, - "user": { - "name": "vagrant", - "effective": { - "name": "root" - } - } - }, - { + "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:26:29.000Z", "related": { + "hosts": [ + "precise32" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "precise32" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817493299Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session opened for user root by vagrant(uid=1000)", "user": { - "name": "vagrant", "effective": { "name": "root" }, - "id": "1000" + "id": "1000", + "name": "vagrant" } }, { + "@timestamp": "2022-02-24T09:26:29.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sudo:session): session closed for user root", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:26:29.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "precise32" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817494243Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo:session): session closed for user root", "user": { "name": "root" } }, { + "@timestamp": "2022-02-24T09:26:59.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "authentication_success", + "info" + ] + }, + "host": { + "hostname": "precise32" + }, "process": { "name": "sshd", "pid": 10535 }, - "system": { - "auth": { - "ssh": { - "method": "publickey", - "event": "Accepted" - } - } - }, - "@timestamp": "2022-02-24T09:26:59.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" ], "ip": [ "10.0.2.2" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, "source": { - "port": 58988, - "ip": "10.0.2.2" + "ip": "10.0.2.2", + "port": 58988 }, - "event": { - "ingested": "2022-01-12T04:29:55.817495114Z", - "timezone": "+0000", - "kind": "event", - "action": "ssh_login", - "type": [ - "authentication_success", - "info" - ], - "category": [ - "authentication", - "session" - ], - "outcome": "success" + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey" + } + } }, "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-24T09:26:59.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "precise32" + }, + "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", "process": { "name": "sshd", "pid": 10535 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-24T09:26:59.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "precise32" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "precise32" - }, - "event": { - "ingested": "2022-01-12T04:29:55.817495987Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sshd:session): session opened for user vagrant by (uid=0)", "user": { - "name": "", "effective": { "name": "vagrant" }, - "id": "0" + "id": "0", + "name": "" } } ] diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json index b46d93eca19..76dff8beff3 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-auth.log-expected.json @@ -1,291 +1,289 @@ { "expected": [ { + "@timestamp": "2022-02-21T21:54:44.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication", + "session" + ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "authentication_success", + "info" + ] + }, + "host": { + "hostname": "localhost" + }, "process": { "name": "sshd", "pid": 3402 }, - "system": { - "auth": { - "ssh": { - "method": "publickey", - "event": "Accepted", - "signature": "RSA 39:33:99:e9:a0:dc:f2:33:a3:e5:72:3b:7c:3a:56:84" - } - } - }, - "@timestamp": "2022-02-21T21:54:44.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "localhost" ], "ip": [ "10.0.2.2" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" + "source": { + "ip": "10.0.2.2", + "port": 63673 }, - "host": { - "hostname": "localhost" + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "publickey", + "signature": "RSA 39:33:99:e9:a0:dc:f2:33:a3:e5:72:3b:7c:3a:56:84" + } + } }, - "source": { - "port": 63673, - "ip": "10.0.2.2" + "user": { + "name": "vagrant" + } + }, + { + "@timestamp": "2022-02-23T00:13:35.000Z", + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-12T04:30:11.112756661Z", - "timezone": "+0000", - "kind": "event", "action": "ssh_login", - "type": [ - "authentication_success", - "info" - ], "category": [ "authentication", "session" ], - "outcome": "success" + "kind": "event", + "outcome": "success", + "timezone": "+0000", + "type": [ + "authentication_success", + "info" + ] + }, + "host": { + "hostname": "localhost" }, - "user": { - "name": "vagrant" - } - }, - { "process": { "name": "sshd", "pid": 7483 }, - "system": { - "auth": { - "ssh": { - "method": "password", - "event": "Accepted" - } - } - }, - "@timestamp": "2022-02-23T00:13:35.000Z", "related": { - "user": [ - "vagrant" - ], "hosts": [ "localhost" ], "ip": [ "192.168.33.1" + ], + "user": [ + "vagrant" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "localhost" - }, "source": { - "port": 58803, - "ip": "192.168.33.1" + "ip": "192.168.33.1", + "port": 58803 }, - "event": { - "ingested": "2022-01-12T04:30:11.112759217Z", - "timezone": "+0000", - "kind": "event", - "action": "ssh_login", - "type": [ - "authentication_success", - "info" - ], - "category": [ - "authentication", - "session" - ], - "outcome": "success" + "system": { + "auth": { + "ssh": { + "event": "Accepted", + "method": "password" + } + } }, "user": { "name": "vagrant" } }, { + "@timestamp": "2022-02-21T21:56:12.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "timezone": "+0000", + "type": [ + "authentication_failure", + "info" + ] + }, + "host": { + "hostname": "localhost" + }, "process": { "name": "sshd", "pid": 3430 }, - "system": { - "auth": { - "ssh": { - "event": "Invalid" - } - } - }, - "@timestamp": "2022-02-21T21:56:12.000Z", "related": { - "user": [ - "test" - ], "hosts": [ "localhost" ], "ip": [ "10.0.2.2" + ], + "user": [ + "test" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "localhost" - }, "source": { "ip": "10.0.2.2" }, - "event": { - "ingested": "2022-01-12T04:30:11.112760053Z", - "timezone": "+0000", - "kind": "event", - "action": "ssh_login", - "type": [ - "authentication_failure", - "info" - ], - "category": [ - "authentication" - ], - "outcome": "failure" + "system": { + "auth": { + "ssh": { + "event": "Invalid" + } + } }, "user": { "name": "test" } }, { + "@timestamp": "2022-02-20T08:35:22.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "timezone": "+0000", + "type": [ + "authentication_failure", + "info" + ] + }, + "host": { + "hostname": "slave22" + }, "process": { "name": "sshd", "pid": 5774 }, - "system": { - "auth": { - "ssh": { - "method": "password", - "event": "Failed" - } - } - }, - "@timestamp": "2022-02-20T08:35:22.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "slave22" ], "ip": [ "89.160.20.156" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "slave22" - }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", - "location": { - "lon": 15.6167, - "lat": 58.4167 - } - }, "as": { "number": 29518, "organization": { "name": "Bredband2 AB" } }, - "port": 29160, - "ip": "89.160.20.156" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 29160 }, - "event": { - "ingested": "2022-01-12T04:30:11.112760831Z", - "timezone": "+0000", - "kind": "event", - "action": "ssh_login", - "type": [ - "authentication_failure", - "info" - ], - "category": [ - "authentication" - ], - "outcome": "failure" + "system": { + "auth": { + "ssh": { + "event": "Failed", + "method": "password" + } + } }, "user": { "name": "root" } }, { + "@timestamp": "2022-02-21T23:35:33.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "localhost" + }, "process": { "name": "sudo" }, - "system": { - "auth": { - "sudo": { - "tty": "pts/0", - "pwd": "/home/vagrant", - "user": "root", - "command": "/bin/ls" - } - } - }, - "@timestamp": "2022-02-21T23:35:33.000Z", "related": { + "hosts": [ + "localhost" + ], "user": [ "vagrant", "root" - ], - "hosts": [ - "localhost" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "localhost" - }, - "event": { - "ingested": "2022-01-12T04:30:11.112761551Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": { + "sudo": { + "command": "/bin/ls", + "pwd": "/home/vagrant", + "tty": "pts/0", + "user": "root" + } + } }, "user": { - "name": "vagrant", "effective": { "name": "root" - } + }, + "name": "vagrant" } }, { + "@timestamp": "2022-02-19T15:30:04.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "slave22" + }, "process": { "name": "sshd", "pid": 18406 }, - "system": { - "auth": { - "ssh": { - "dropped_ip": "89.160.20.156" - } - } - }, - "@timestamp": "2022-02-19T15:30:04.000Z", "related": { "hosts": [ "slave22" @@ -294,209 +292,201 @@ "89.160.20.156" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "slave22" - }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", - "location": { - "lon": 15.6167, - "lat": 58.4167 - } - }, "as": { "number": 29518, "organization": { "name": "Bredband2 AB" } }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156" }, - "event": { - "ingested": "2022-01-12T04:30:11.112762289Z", - "timezone": "+0000", - "kind": "event" - } - }, - { - "process": { - "name": "sudo" - }, "system": { "auth": { - "sudo": { - "tty": "pts/1", - "pwd": "/home/vagrant", - "user": "root", - "command": "/bin/cat /var/log/secure" + "ssh": { + "dropped_ip": "89.160.20.156" } } - }, + } + }, + { "@timestamp": "2022-02-23T00:08:48.000Z", - "related": { - "user": [ - "vagrant", - "root" - ], - "hosts": [ - "localhost" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "localhost" }, - "event": { - "ingested": "2022-01-12T04:30:11.112763036Z", - "timezone": "+0000", - "kind": "event" - }, - "user": { - "name": "vagrant", - "effective": { - "name": "root" - } - } - }, - { "process": { "name": "sudo" }, + "related": { + "hosts": [ + "localhost" + ], + "user": [ + "vagrant", + "root" + ] + }, "system": { "auth": { "sudo": { - "tty": "pts/1", + "command": "/bin/cat /var/log/secure", "pwd": "/home/vagrant", - "error": "user NOT in sudoers", - "user": "root", - "command": "/bin/ls" + "tty": "pts/1", + "user": "root" } } }, + "user": { + "effective": { + "name": "root" + }, + "name": "vagrant" + } + }, + { "@timestamp": "2022-02-24T00:13:02.000Z", - "related": { - "user": [ - "tsg", - "root" - ], - "hosts": [ - "precise32" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "precise32" }, - "event": { - "ingested": "2022-01-12T04:30:11.112763782Z", - "timezone": "+0000", - "kind": "event" + "process": { + "name": "sudo" + }, + "related": { + "hosts": [ + "precise32" + ], + "user": [ + "tsg", + "root" + ] + }, + "system": { + "auth": { + "sudo": { + "command": "/bin/ls", + "error": "user NOT in sudoers", + "pwd": "/home/vagrant", + "tty": "pts/1", + "user": "root" + } + } }, "user": { - "name": "tsg", "effective": { "name": "root" - } + }, + "name": "tsg" } }, { - "process": { - "name": "groupadd", - "pid": 6991 - }, - "system": { - "auth": {} - }, "@timestamp": "2022-02-22T11:47:05.000Z", - "related": { - "hosts": [ - "localhost" - ] - }, "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "localhost" - }, "event": { - "ingested": "2022-01-12T04:30:11.112764497Z", "category": [ "iam" ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", "type": [ "group", "creation" - ], - "timezone": "+0000", - "kind": "event", - "outcome": "success" + ] }, "group": { - "name": "apache", - "id": "48" - } - }, - { - "process": { - "name": "useradd", - "pid": 6995 + "id": "48", + "name": "apache" }, - "system": { - "auth": { - "useradd": { - "shell": "/sbin/nologin", - "home": "/usr/share/httpd" - } - } + "host": { + "hostname": "localhost" + }, + "process": { + "name": "groupadd", + "pid": 6991 }, - "@timestamp": "2022-02-22T11:47:05.000Z", "related": { - "user": [ - "apache" - ], "hosts": [ "localhost" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-22T11:47:05.000Z", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "localhost" - }, "event": { - "ingested": "2022-01-12T04:30:11.112765252Z", "category": [ "iam" ], + "kind": "event", + "outcome": "success", + "timezone": "+0000", "type": [ "user", "creation" - ], - "timezone": "+0000", - "kind": "event", - "outcome": "success" - }, - "user": { - "name": "apache", - "id": "48" + ] }, "group": { "id": "48" + }, + "host": { + "hostname": "localhost" + }, + "process": { + "name": "useradd", + "pid": 6995 + }, + "related": { + "hosts": [ + "localhost" + ], + "user": [ + "apache" + ] + }, + "system": { + "auth": { + "useradd": { + "home": "/usr/share/httpd", + "shell": "/sbin/nologin" + } + } + }, + "user": { + "id": "48", + "name": "apache" } } ] diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json b/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json index 6a4d4166b37..cb6a89ed04f 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-secure-rhel7.log-expected.json @@ -1,257 +1,250 @@ { "expected": [ { + "@timestamp": "2022-02-22T16:45:20.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "ssh_login", + "category": [ + "authentication" + ], + "kind": "event", + "outcome": "failure", + "timezone": "+0000", + "type": [ + "authentication_failure", + "info" + ] + }, + "host": { + "hostname": "slave22" + }, "process": { "name": "sshd", "pid": 2738 }, - "system": { - "auth": { - "ssh": { - "method": "password", - "event": "Failed" - } - } - }, - "@timestamp": "2022-02-22T16:45:20.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "slave22" ], "ip": [ "89.160.20.156" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "slave22" - }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", - "location": { - "lon": 15.6167, - "lat": 58.4167 - } - }, "as": { "number": 29518, "organization": { "name": "Bredband2 AB" } }, - "port": 1786, - "ip": "89.160.20.156" + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, + "ip": "89.160.20.156", + "port": 1786 }, - "event": { - "ingested": "2022-01-12T04:30:12.766931327Z", - "timezone": "+0000", - "kind": "event", - "action": "ssh_login", - "type": [ - "authentication_failure", - "info" - ], - "category": [ - "authentication" - ], - "outcome": "failure" + "system": { + "auth": { + "ssh": { + "event": "Failed", + "method": "password" + } + } }, "user": { "name": "root" } }, { + "@timestamp": "2022-02-22T16:45:20.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "slave22" + }, + "message": "pam_succeed_if(sshd:auth): requirement \"uid \u003e= 1000\" not met by user \"root\"", "process": { "name": "sshd", "pid": 2738 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T16:45:20.000Z", "related": { - "user": [ - "root" - ], "hosts": [ "slave22" + ], + "user": [ + "root" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "slave22" - }, - "event": { - "ingested": "2022-01-12T04:30:12.766934132Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_succeed_if(sshd:auth): requirement \"uid \u003e= 1000\" not met by user \"root\"", "user": { "name": "root" } }, { + "@timestamp": "2022-02-22T16:45:26.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "slave22" + }, + "message": "fatal: Read from socket failed: Connection reset by peer [preauth]", "process": { "name": "sshd", "pid": 2738 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T16:45:26.000Z", "related": { "hosts": [ "slave22" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-22T16:45:26.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "slave22" }, - "event": { - "ingested": "2022-01-12T04:30:12.766935025Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "fatal: Read from socket failed: Connection reset by peer [preauth]" - }, - { + "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.160.20.156 user=root", "process": { "name": "sshd", "pid": 2738 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T16:45:26.000Z", "related": { "hosts": [ "slave22" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-22T16:45:26.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "slave22" }, - "event": { - "ingested": "2022-01-12T04:30:12.766935790Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "PAM 4 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.160.20.156 user=root" - }, - { + "message": "PAM service(sshd) ignoring max retries; 5 \u003e 3", "process": { "name": "sshd", "pid": 2738 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T16:45:26.000Z", "related": { "hosts": [ "slave22" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-22T16:45:32.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "slave22" }, - "event": { - "ingested": "2022-01-12T04:30:12.766936554Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "PAM service(sshd) ignoring max retries; 5 \u003e 3" - }, - { + "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.160.20.156 user=root", "process": { "name": "sshd", "pid": 2742 }, - "system": { - "auth": {} - }, - "@timestamp": "2022-02-22T16:45:32.000Z", "related": { "hosts": [ "slave22" ] }, + "system": { + "auth": {} + } + }, + { + "@timestamp": "2022-02-22T17:04:51.000Z", "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "slave22" }, - "event": { - "ingested": "2022-01-12T04:30:12.766937292Z", - "timezone": "+0000", - "kind": "event" - }, - "message": "pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=89.160.20.156 user=root" - }, - { "process": { "name": "sudo" }, - "system": { - "auth": { - "sudo": { - "tty": "pts/0", - "pwd": "/home/tsg", - "user": "root", - "command": "/bin/cp /var/log/secure ." - } - } - }, - "@timestamp": "2022-02-22T17:04:51.000Z", "related": { + "hosts": [ + "slave22" + ], "user": [ "tsg", "root" - ], - "hosts": [ - "slave22" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "slave22" - }, - "event": { - "ingested": "2022-01-12T04:30:12.766938034Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": { + "sudo": { + "command": "/bin/cp /var/log/secure .", + "pwd": "/home/tsg", + "tty": "pts/0", + "user": "root" + } + } }, "user": { - "name": "tsg", "effective": { "name": "root" - } + }, + "name": "tsg" } } ] diff --git a/packages/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json b/packages/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json index b4cd80aeae0..c330599fb44 100644 --- a/packages/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json +++ b/packages/system/data_stream/auth/_dev/test/pipeline/test-timestamp.log-expected.json @@ -1,67 +1,65 @@ { "expected": [ { + "@timestamp": "2019-06-14T10:40:20.912Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "kind": "event", + "timezone": "+0000" + }, + "host": { + "hostname": "localhost" + }, + "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)", "process": { "name": "sudo" }, - "system": { - "auth": {} - }, - "@timestamp": "2019-06-14T10:40:20.912Z", "related": { + "hosts": [ + "localhost" + ], "user": [ "userauth3", "root" - ], - "hosts": [ - "localhost" ] }, - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "localhost" - }, - "event": { - "ingested": "2022-01-12T04:30:13.773660440Z", - "timezone": "+0000", - "kind": "event" + "system": { + "auth": {} }, - "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)", "user": { - "name": "userauth3", "effective": { "name": "root" }, - "id": "0" + "id": "0", + "name": "userauth3" } }, { - "process": { - "name": "pam" - }, - "system": { - "auth": {} - }, "@timestamp": "2019-06-14T11:31:15.412Z", - "related": { - "hosts": [ - "localhost" - ] - }, "ecs": { "version": "8.0.0" }, + "event": { + "kind": "event", + "timezone": "+0000" + }, "host": { "hostname": "localhost" }, - "event": { - "ingested": "2022-01-12T04:30:13.773662932Z", - "timezone": "+0000", - "kind": "event" + "message": "user nobody logged out.", + "process": { + "name": "pam" }, - "message": "user nobody logged out." + "related": { + "hosts": [ + "localhost" + ] + }, + "system": { + "auth": {} + } } ] } \ No newline at end of file diff --git a/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml b/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml index c5f171788fa..c8955926c43 100644 --- a/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml +++ b/packages/system/data_stream/auth/elasticsearch/ingest_pipeline/default.yml @@ -1,9 +1,6 @@ --- description: Pipeline for parsing system authorisation/secure logs processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - grok: field: message ignore_missing: true diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json index 0e2ec64348b..ba8907c944d 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-1100.json-expected.json @@ -1,60 +1,59 @@ { "expected": [ { + "@timestamp": "2019-11-07T10:37:04.226Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "bcbde3d3-6558-46d7-aaee-ed9cf67e04d3", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-11-07T10:37:04.226Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "record_id": "14257", - "process": { - "pid": 1144, - "thread": { - "id": 4532 - } - }, - "event_id": "1100", - "keywords": [ - "Audit Success" - ], - "level": "information", - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", - "channel": "Security", - "time_created": "2019-11-07T10:37:04.226Z", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Eventlog", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1100.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:30:14.271837670Z", - "code": "1100", - "provider": "Microsoft-Windows-Eventlog", - "kind": "event", "action": "logging-service-shutdown", "category": [ "process" ], + "code": "1100", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", "type": [ "end" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1100.xml" + }, + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1100", + "keywords": [ + "Audit Success" ], - "outcome": "success" + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 1144, + "thread": { + "id": 4532 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "14257", + "time_created": "2019-11-07T10:37:04.226Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json index cc1f32e1b35..af2f03a724d 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-1102.json-expected.json @@ -1,22 +1,54 @@ { "expected": [ { + "@timestamp": "2019-11-07T10:34:29.055Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "737c4709-1498-44d4-b1e6-d21cac1470e5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-11-07T10:34:29.055Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "audit-log-cleared", + "category": [ + "iam" + ], + "code": "1102", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1102.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, "winlog": { + "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 1144, - "thread": { - "id": 1824 - } - }, + "event_id": "1102", "keywords": [ "Audit Success" ], @@ -24,58 +56,25 @@ "logon": { "id": "0x50e87" }, - "channel": "Security", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 1144, + "thread": { + "id": 1824 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "14224", + "time_created": "2019-11-07T10:34:29.055Z", "user_data": { - "SubjectUserName": "Administrator", "SubjectDomainName": "WLBEAT", "SubjectLogonId": "0x50e87", + "SubjectUserName": "Administrator", "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", "xml_name": "LogFileCleared" - }, - "opcode": "Info", - "record_id": "14224", - "event_id": "1102", - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", - "time_created": "2019-11-07T10:34:29.055Z", - "provider_name": "Microsoft-Windows-Eventlog", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1102.xml" } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, - "event": { - "ingested": "2022-01-12T04:30:14.712211032Z", - "code": "1102", - "provider": "Microsoft-Windows-Eventlog", - "kind": "event", - "action": "audit-log-cleared", - "category": [ - "iam" - ], - "type": [ - "admin", - "change" - ], - "outcome": "success" - }, - "user": { - "name": "Administrator", - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json index 530d9a23a52..eb9a575b682 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-1104.json-expected.json @@ -1,60 +1,59 @@ { "expected": [ { + "@timestamp": "2019-11-08T07:56:17.321Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "ba338c91-ffb8-4b65-8c25-7990b1cf0e01", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-11-08T07:56:17.321Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "record_id": "19352", - "process": { - "pid": 1096, - "thread": { - "id": 1444 - } - }, - "event_id": "1104", - "keywords": [ - "Audit Success" - ], - "level": "error", - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", - "channel": "Security", - "time_created": "2019-11-08T07:56:17.321Z", - "opcode": "Info", - "provider_name": "Microsoft-Windows-Eventlog", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "log": { - "level": "error", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1104.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:30:15.303572264Z", - "code": "1104", - "provider": "Microsoft-Windows-Eventlog", - "kind": "event", "action": "logging-full", "category": [ "iam" ], + "code": "1104", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", "type": [ "admin" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1104.xml" + }, + "level": "error" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1104", + "keywords": [ + "Audit Success" ], - "outcome": "success" + "level": "error", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 1096, + "thread": { + "id": 1444 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "19352", + "time_created": "2019-11-08T07:56:17.321Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json index 3c4892d67e4..9d3b8c773d1 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-1105.json-expected.json @@ -1,65 +1,64 @@ { "expected": [ { + "@timestamp": "2019-11-07T16:22:14.842Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "1b3ec690-31c3-4062-acdc-2afa56638178", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-11-07T16:22:14.842Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 1156, - "thread": { - "id": 1484 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "channel": "Security", - "user_data": { - "BackupPath": "C:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2019-11-07-16-22-14-780.evtx", - "xml_name": "AutoBackup", - "Channel": "Security" - }, - "opcode": "Info", - "record_id": "18197", - "event_id": "1105", - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", - "time_created": "2019-11-07T16:22:14.842Z", - "provider_name": "Microsoft-Windows-Eventlog", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1105.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:30:15.671206827Z", - "code": "1105", - "provider": "Microsoft-Windows-Eventlog", - "kind": "event", "action": "auditlog-archieved", "category": [ "iam" ], + "code": "1105", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog", "type": [ "admin" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/1105.xml" + }, + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_id": "1105", + "keywords": [ + "Audit Success" ], - "outcome": "success" + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 1156, + "thread": { + "id": 1484 + } + }, + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", + "provider_name": "Microsoft-Windows-Eventlog", + "record_id": "18197", + "time_created": "2019-11-07T16:22:14.842Z", + "user_data": { + "BackupPath": "C:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2019-11-07-16-22-14-780.evtx", + "Channel": "Security", + "xml_name": "AutoBackup" + } } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json index 7b4eb600aa7..7b99c5d7656 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4663.json-expected.json @@ -1,86 +1,85 @@ { "expected": [ { - "input": { - "type": "log" - }, + "@timestamp": "2015-09-18T22:13:54.770Z", "agent": { - "name": "AgentName", + "ephemeral_id": "1e53eccd-9d5b-4001-9e6b-13b66625bb16", "hostname": "hostname", "id": "7d1ef343-9372-428d-bd10-0a78e6894797", - "ephemeral_id": "1e53eccd-9d5b-4001-9e6b-13b66625bb16", + "name": "AgentName", "type": "filebeat", "version": "7.15.2" }, - "@timestamp": "2015-09-18T22:13:54.770Z", - "winlog": { - "computer_name": "DC01.contoso.local", - "process": { - "pid": 516, - "thread": { - "id": 524 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4367b" + "ecs": { + "version": "8.0.0" + }, + "event": { + "code": "4663", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing" + }, + "host": { + "name": "DC01.contoso.local" + }, + "input": { + "type": "log" + }, + "log": { + "file": { + "path": "/file/path/4663.xml" }, + "level": "information" + }, + "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e \u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4663\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e12800\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8020000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-09-18T22:13:54.770429700Z\" /\u003e\u003cEventRecordID\u003e273866\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"516\" ThreadID=\"524\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"SubjectUserSid\"\u003eS-1-5-21-3457937927-2839227994-823803824-1104\u003c/Data\u003e\u003cData Name=\"SubjectUserName\"\u003edadmin\u003c/Data\u003e\u003cData Name=\"SubjectDomainName\"\u003eCONTOSO\u003c/Data\u003e\u003cData Name=\"SubjectLogonId\"\u003e0x4367b\u003c/Data\u003e\u003cData Name=\"ObjectServer\"\u003eSecurity\u003c/Data\u003e\u003cData Name=\"ObjectType\"\u003eFile\u003c/Data\u003e\u003cData Name=\"ObjectName\"\u003eC:\\\\Documents\\\\HBI Data.txt\u003c/Data\u003e\u003cData Name=\"HandleId\"\u003e0x1bc\u003c/Data\u003e\u003cData Name=\"AccessList\"\u003e%%4417 %%4418\u003c/Data\u003e\u003cData Name=\"AccessMask\"\u003e0x6\u003c/Data\u003e\u003cData Name=\"ProcessId\"\u003e0x458\u003c/Data\u003e\u003cData Name=\"ProcessName\"\u003eC:\\\\Windows\\\\System32\\\\notepad.exe\u003c/Data\u003e\u003cData Name=\"ResourceAttributes\"\u003eS:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "winlog": { "channel": "Security", + "computer_name": "DC01.contoso.local", "event_data": { - "ProcessName": "C:\\\\Windows\\\\System32\\\\notepad.exe", - "SubjectLogonId": "0x4367b", - "AccessMask": "0x6", - "ResourceAttributes": "S:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))", - "ObjectName": "C:\\\\Documents\\\\HBI Data.txt", - "ObjectType": "File", - "SubjectUserName": "dadmin", + "AccessList": "%%4417 %%4418", "AccessListDescription": [ "WriteData (or AddFile)", "AppendData (or AddSubdirectory or CreatePipeInstance)" ], - "ObjectServer": "Security", - "HandleId": "0x1bc", - "SubjectDomainName": "CONTOSO", - "ProcessId": "0x458", + "AccessMask": "0x6", "AccessMaskDescription": [ "Delete Child", "List Contents" ], - "AccessList": "%%4417 %%4418", + "HandleId": "0x1bc", + "ObjectName": "C:\\\\Documents\\\\HBI Data.txt", + "ObjectServer": "Security", + "ObjectType": "File", + "ProcessId": "0x458", + "ProcessName": "C:\\\\Windows\\\\System32\\\\notepad.exe", + "ResourceAttributes": "S:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))", + "SubjectDomainName": "CONTOSO", + "SubjectLogonId": "0x4367b", + "SubjectUserName": "dadmin", "SubjectUserSid": "S-1-5-21-3457937927-2839227994-823803824-1104" }, - "opcode": "Info", - "version": 1, - "record_id": "273866", "event_id": "4663", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4367b" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 524 + } + }, "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "time_created": "2015-09-18T22:13:54.770Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "log": { - "level": "information", - "file": { - "path": "/file/path/4663.xml" - } - }, - "host": { - "name": "DC01.contoso.local" - }, - "event": { - "ingested": "2022-01-12T04:30:16.071281662Z", - "code": "4663", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "outcome": "success" - }, - "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e \u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4663\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e12800\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8020000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-09-18T22:13:54.770429700Z\" /\u003e\u003cEventRecordID\u003e273866\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"516\" ThreadID=\"524\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"SubjectUserSid\"\u003eS-1-5-21-3457937927-2839227994-823803824-1104\u003c/Data\u003e\u003cData Name=\"SubjectUserName\"\u003edadmin\u003c/Data\u003e\u003cData Name=\"SubjectDomainName\"\u003eCONTOSO\u003c/Data\u003e\u003cData Name=\"SubjectLogonId\"\u003e0x4367b\u003c/Data\u003e\u003cData Name=\"ObjectServer\"\u003eSecurity\u003c/Data\u003e\u003cData Name=\"ObjectType\"\u003eFile\u003c/Data\u003e\u003cData Name=\"ObjectName\"\u003eC:\\\\Documents\\\\HBI Data.txt\u003c/Data\u003e\u003cData Name=\"HandleId\"\u003e0x1bc\u003c/Data\u003e\u003cData Name=\"AccessList\"\u003e%%4417 %%4418\u003c/Data\u003e\u003cData Name=\"AccessMask\"\u003e0x6\u003c/Data\u003e\u003cData Name=\"ProcessId\"\u003e0x458\u003c/Data\u003e\u003cData Name=\"ProcessName\"\u003eC:\\\\Windows\\\\System32\\\\notepad.exe\u003c/Data\u003e\u003cData Name=\"ResourceAttributes\"\u003eS:AI(RA;ID;;;;WD;(\"Impact\\_MS\",TI,0x10020,3000))\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e" + "record_id": "273866", + "time_created": "2015-09-18T22:13:54.770Z", + "version": 1 + } } ] } \ No newline at end of file diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json index 3385c2486d7..ab042344396 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4670-windowssrv2016.json-expected.json @@ -1,97 +1,96 @@ { "expected": [ { + "@timestamp": "2020-07-28T13:22:18.799Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "3d760cf7-94ed-4415-85cd-588f6adf9376", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "permissions-changed", + "category": [ + "iam", + "configuration" + ], + "code": "4670", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.xml" + }, + "level": "information" + }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 764, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 764 + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" }, - "@timestamp": "2020-07-28T13:22:18.799Z", "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 4, - "thread": { - "id": 4604 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { - "OldSdDacl1": "Network service account :Access Allowed ([Generic All])", - "OldSdDacl0": "Local system :Access Allowed ([Generic All])", + "HandleId": "0x56c", "NewSd": "D:(A;;GA;;;SY)(A;;RC;;;OW)(A;;GA;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)", - "SubjectLogonId": "0x3e7", + "NewSdDacl0": "Local system :Access Allowed ([Generic All])", + "NewSdDacl1": "OW :Access Allowed ([Read Permissions])", + "NewSdDacl2": "S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628 :Access Allowed ([Generic All])", "ObjectName": "-", + "ObjectServer": "Security", "ObjectType": "Token", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", "OldSd": "D:(A;;GA;;;SY)(A;;GA;;;NS)", - "ObjectServer": "Security", - "NewSdDacl0": "Local system :Access Allowed ([Generic All])", - "HandleId": "0x56c", + "OldSdDacl0": "Local system :Access Allowed ([Generic All])", + "OldSdDacl1": "Network service account :Access Allowed ([Generic All])", "SubjectDomainName": "TEST", - "NewSdDacl2": "S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628 :Access Allowed ([Generic All])", - "NewSdDacl1": "OW :Access Allowed ([Read Permissions])", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", "SubjectUserSid": "S-1-5-18" }, - "opcode": "Info", - "record_id": "31932", "event_id": "4670", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 4604 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-07-28T13:22:18.799Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4670_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "event": { - "ingested": "2022-01-12T04:30:16.399117983Z", - "code": "4670", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "permissions-changed", - "category": [ - "iam", - "configuration" - ], - "type": [ - "admin", - "change" - ], - "outcome": "success" - }, - "user": { - "name": "WIN-BVM4LI1L1Q6$", - "domain": "TEST", - "id": "S-1-5-18" + "record_id": "31932", + "time_created": "2020-07-28T13:22:18.799Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json index c3dc3d55f02..71ae01558a3 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4674.json-expected.json @@ -1,100 +1,99 @@ { "expected": [ { + "@timestamp": "2015-10-09T00:22:36.237Z", "agent": { - "name": "AgentName", + "ephemeral_id": "8c285603-b2ba-4891-8f1a-862ca3388614", "hostname": "hostname", "id": "7d1ef343-9372-428d-bd10-0a78e6894797", - "ephemeral_id": "8c285603-b2ba-4891-8f1a-862ca3388614", + "name": "AgentName", "type": "filebeat", "version": "7.15.2" }, - "process": { - "name": "lsass.exe", - "pid": 496, - "executable": "C:\\\\Windows\\\\System32\\\\lsass.exe" + "ecs": { + "version": "8.0.0" }, - "winlog": { - "computer_name": "DC01.contoso.local", - "process": { - "pid": 496, - "thread": { - "id": 504 - } - }, - "keywords": [ - "Audit Failure" + "event": { + "action": "privileged-operation", + "category": [ + "iam" ], - "level": "information", - "logon": { - "id": "0x3e5" - }, - "channel": "Security", - "event_data": { - "ObjectType": "-", - "SubjectUserName": "LOCAL SERVICE", - "ObjectServer": "LSA", - "HandleId": "0x0", - "SubjectDomainName": "NT AUTHORITY", - "SubjectLogonId": "0x3e5", - "AccessMaskDescription": [ - "ADS_RIGHT_ACCESS_SYSTEM_SECURITY" - ], - "AccessMask": "16777216", - "PrivilegeList": [ - "SeSecurityPrivilege" - ], - "SubjectUserSid": "S-1-5-19", - "ObjectName": "-" - }, - "opcode": "Info", - "record_id": "1099680", - "event_id": "4674", - "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", - "time_created": "2015-10-09T00:22:36.237Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "failure" + "code": "4674", + "kind": "event", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin" + ] + }, + "host": { + "name": "DC01.contoso.local" + }, + "input": { + "type": "log" }, "log": { - "level": "information", "file": { "path": "/file/path/4674.xml" - } + }, + "level": "information" }, "message": "\u003cEvent xmlns=\"http://schemas.microsoft.com/win/2004/08/events/event\"\u003e\u003cSystem\u003e\u003cProvider Name=\"Microsoft-Windows-Security-Auditing\" Guid=\"{54849625-5478-4994-A5BA-3E3B0328C30D}\" /\u003e\u003cEventID\u003e4674\u003c/EventID\u003e\u003cVersion\u003e0\u003c/Version\u003e\u003cLevel\u003e0\u003c/Level\u003e\u003cTask\u003e13056\u003c/Task\u003e\u003cOpcode\u003e0\u003c/Opcode\u003e\u003cKeywords\u003e0x8010000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime=\"2015-10-09T00:22:36.237816000Z\" /\u003e\u003cEventRecordID\u003e1099680\u003c/EventRecordID\u003e\u003cCorrelation /\u003e\u003cExecution ProcessID=\"496\" ThreadID=\"504\" /\u003e\u003cChannel\u003eSecurity\u003c/Channel\u003e\u003cComputer\u003eDC01.contoso.local\u003c/Computer\u003e\u003cSecurity /\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name=\"SubjectUserSid\"\u003eS-1-5-19\u003c/Data\u003e\u003cData Name=\"SubjectUserName\"\u003eLOCAL SERVICE\u003c/Data\u003e\u003cData Name=\"SubjectDomainName\"\u003eNT AUTHORITY\u003c/Data\u003e\u003cData Name=\"SubjectLogonId\"\u003e0x3e5\u003c/Data\u003e\u003cData Name=\"ObjectServer\"\u003eLSA\u003c/Data\u003e\u003cData Name=\"ObjectType\"\u003e-\u003c/Data\u003e\u003cData Name=\"ObjectName\"\u003e-\u003c/Data\u003e\u003cData Name=\"HandleId\"\u003e0x0\u003c/Data\u003e\u003cData Name=\"AccessMask\"\u003e16777216\u003c/Data\u003e\u003cData Name=\"PrivilegeList\"\u003eSeSecurityPrivilege\u003c/Data\u003e\u003cData Name=\"ProcessId\"\u003e0x1f0\u003c/Data\u003e\u003cData Name=\"ProcessName\"\u003eC:\\\\Windows\\\\System32\\\\lsass.exe\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "input": { - "type": "log" - }, - "@timestamp": "2015-10-09T00:22:36.237Z", - "ecs": { - "version": "8.0.0" + "process": { + "executable": "C:\\\\Windows\\\\System32\\\\lsass.exe", + "name": "lsass.exe", + "pid": 496 }, "related": { "user": [ "LOCAL SERVICE" ] }, - "host": { - "name": "DC01.contoso.local" - }, - "event": { - "ingested": "2022-01-12T04:30:16.854755425Z", - "code": "4674", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "privileged-operation", - "category": [ - "iam" - ], - "type": [ - "admin" - ], - "outcome": "failure" - }, "user": { - "name": "LOCAL SERVICE", "domain": "NT AUTHORITY", - "id": "S-1-5-19" + "id": "S-1-5-19", + "name": "LOCAL SERVICE" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC01.contoso.local", + "event_data": { + "AccessMask": "16777216", + "AccessMaskDescription": [ + "ADS_RIGHT_ACCESS_SYSTEM_SECURITY" + ], + "HandleId": "0x0", + "ObjectName": "-", + "ObjectServer": "LSA", + "ObjectType": "-", + "PrivilegeList": [ + "SeSecurityPrivilege" + ], + "SubjectDomainName": "NT AUTHORITY", + "SubjectLogonId": "0x3e5", + "SubjectUserName": "LOCAL SERVICE", + "SubjectUserSid": "S-1-5-19" + }, + "event_id": "4674", + "keywords": [ + "Audit Failure" + ], + "level": "information", + "logon": { + "id": "0x3e5" + }, + "opcode": "Info", + "outcome": "failure", + "process": { + "pid": 496, + "thread": { + "id": 504 + } + }, + "provider_guid": "{54849625-5478-4994-A5BA-3E3B0328C30D}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1099680", + "time_created": "2015-10-09T00:22:36.237Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json index e6f0fb49da5..8fb08637e26 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4706-windowssrv2016.json-expected.json @@ -1,23 +1,66 @@ { "expected": [ { + "@timestamp": "2020-07-27T09:42:48.369Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "9e4d57e6-8caa-43f7-aa64-6b78dc45ae4d", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-07-27T09:42:48.369Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "domain-trust-added", + "category": [ + "configuration" + ], + "code": "4706", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "creation" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, "winlog": { + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 776, - "thread": { - "id": 3056 - } + "event_data": { + "DomainName": "192.168.230.153", + "DomainSid": "S-1-0-0", + "SidFilteringEnabled": "%%1796", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x6a868", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", + "TdoAttributes": "1", + "TdoDirection": "3", + "TdoType": "3" }, - "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", + "event_id": "4706", "keywords": [ "Audit Success" ], @@ -25,65 +68,21 @@ "logon": { "id": "0x6a868" }, - "channel": "Security", - "event_data": { - "SidFilteringEnabled": "%%1796", - "DomainSid": "S-1-0-0", - "SubjectUserName": "Administrator", - "DomainName": "192.168.230.153", - "SubjectDomainName": "TEST", - "TdoDirection": "3", - "SubjectLogonId": "0x6a868", - "TdoAttributes": "1", - "TdoType": "3", - "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" - }, "opcode": "Info", - "record_id": "6017", - "event_id": "4706", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 3056 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "6017", "time_created": "2020-07-27T09:42:48.369Z", + "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL", - "trustType": "TRUST_TYPE_MIT", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4706_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "event": { - "ingested": "2022-01-12T04:30:17.541442100Z", - "code": "4706", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "domain-trust-added", - "category": [ - "configuration" - ], - "type": [ - "creation" - ], - "outcome": "success" - }, - "user": { - "name": "Administrator", - "domain": "TEST", - "id": "S-1-5-21-2024912787-2692429404-2351956786-500" + "trustType": "TRUST_TYPE_MIT" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json index 238b155a398..d258bfedc83 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4707-windowssrv2016.json-expected.json @@ -1,81 +1,80 @@ { "expected": [ { + "@timestamp": "2020-07-28T06:18:04.600Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "3d917dba-6707-4ee1-be70-ba855a9e5b1c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-07-28T06:18:04.600Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 776, - "thread": { - "id": 2012 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x6a868" - }, - "channel": "Security", - "event_data": { - "DomainSid": "S-1-0-0", - "SubjectUserName": "Administrator", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x6a868", - "DomainName": "192.168.230.153", - "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" - }, - "opcode": "Info", - "record_id": "13679", - "event_id": "4707", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-07-28T06:18:04.600Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, "event": { - "ingested": "2022-01-12T04:30:17.992595466Z", - "code": "4707", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "domain-trust-removed", "category": [ "configuration" ], + "code": "4707", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "deletion" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4707_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", "domain": "TEST", - "id": "S-1-5-21-2024912787-2692429404-2351956786-500" + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "DomainName": "192.168.230.153", + "DomainSid": "S-1-0-0", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x6a868", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" + }, + "event_id": "4707", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x6a868" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 2012 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "13679", + "time_created": "2020-07-28T06:18:04.600Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json index b9461b65a24..7f197a8b7cc 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4713-windowssrv2016.json-expected.json @@ -1,81 +1,80 @@ { "expected": [ { + "@timestamp": "2020-07-28T10:15:43.495Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "00d05603-1d0f-476c-99f7-059a70f43625", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-07-28T10:15:43.495Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 776, - "thread": { - "id": 2012 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "channel": "Security", - "event_data": { - "KerberosPolicyChange": "KerMinT: 0x53d1ac1000 (0x53ade8ca00); KerMaxR: 0x649534e0000 (0x58028e44000); KerProxy: 0xd693a400 (0xb2d05e00); ", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "SubjectUserSid": "S-1-5-18" - }, - "opcode": "Info", - "record_id": "21265", - "event_id": "4713", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", - "time_created": "2020-07-28T10:15:43.495Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, "event": { - "ingested": "2022-01-12T04:30:18.610588213Z", - "code": "4713", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "kerberos-policy-changed", "category": [ "configuration" ], + "code": "4713", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4713_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] }, "user": { - "name": "WIN-BVM4LI1L1Q6$", "domain": "TEST", - "id": "S-1-5-18" + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "KerberosPolicyChange": "KerMinT: 0x53d1ac1000 (0x53ade8ca00); KerMaxR: 0x649534e0000 (0x58028e44000); KerProxy: 0xd693a400 (0xb2d05e00); ", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4713", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 2012 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "21265", + "time_created": "2020-07-28T10:15:43.495Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json index 903402b977a..58b0730cfa7 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4716-windowssrv2016.json-expected.json @@ -1,23 +1,66 @@ { "expected": [ { + "@timestamp": "2020-07-28T08:17:00.470Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "73327973-22b1-49d2-ba3c-f467e39c81a0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-07-28T08:17:00.470Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "trusted-domain-information-changed", + "category": [ + "configuration" + ], + "code": "4716", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, "winlog": { + "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 776, - "thread": { - "id": 3776 - } + "event_data": { + "DomainName": "-", + "DomainSid": "S-1-0-0", + "SidFilteringEnabled": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x6a868", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500", + "TdoAttributes": "1", + "TdoDirection": "3", + "TdoType": "3" }, - "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", + "event_id": "4716", "keywords": [ "Audit Success" ], @@ -25,65 +68,21 @@ "logon": { "id": "0x6a868" }, - "channel": "Security", - "event_data": { - "SidFilteringEnabled": "-", - "DomainSid": "S-1-0-0", - "SubjectUserName": "Administrator", - "DomainName": "-", - "SubjectDomainName": "TEST", - "TdoDirection": "3", - "SubjectLogonId": "0x6a868", - "TdoAttributes": "1", - "TdoType": "3", - "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" - }, "opcode": "Info", - "record_id": "14929", - "event_id": "4716", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 3776 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{be129571-63f8-0000-a795-12bef863d601}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "14929", "time_created": "2020-07-28T08:17:00.470Z", + "trustAttribute": "TRUST_ATTRIBUTE_NON_TRANSITIVE", "trustDirection": "TRUST_DIRECTION_BIDIRECTIONAL", - "trustType": "TRUST_TYPE_MIT", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4716_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "event": { - "ingested": "2022-01-12T04:30:19.091604287Z", - "code": "4716", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "trusted-domain-information-changed", - "category": [ - "configuration" - ], - "type": [ - "change" - ], - "outcome": "success" - }, - "user": { - "name": "Administrator", - "domain": "TEST", - "id": "S-1-5-21-2024912787-2692429404-2351956786-500" + "trustType": "TRUST_TYPE_MIT" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json index 1966811b316..02be43b6a4a 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4717-windowssrv2016.json-expected.json @@ -1,84 +1,83 @@ { "expected": [ { + "@timestamp": "2020-07-27T09:30:41.903Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "1271c200-5f2f-42c7-bc2f-abbdc1211f37", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-07-27T09:30:41.903Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6", - "process": { - "pid": 776, - "thread": { - "id": 820 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "channel": "Security", - "event_data": { - "TargetSid": "S-1-5-9", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "WORKGROUP", - "AccessGranted": "SeNetworkLogonRight", - "SubjectLogonId": "0x3e7", - "SubjectUserSid": "S-1-5-18" - }, - "opcode": "Info", - "record_id": "1571", - "event_id": "4717", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", - "time_created": "2020-07-27T09:30:41.903Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6" - }, "event": { - "ingested": "2022-01-12T04:30:19.373210534Z", - "code": "4717", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "system-security-access-granted", "category": [ "iam", "configuration" ], + "code": "4717", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "admin", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4717_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] }, "user": { - "name": "WIN-BVM4LI1L1Q6$", "domain": "WORKGROUP", - "id": "S-1-5-18" + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6", + "event_data": { + "AccessGranted": "SeNetworkLogonRight", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18", + "TargetSid": "S-1-5-9" + }, + "event_id": "4717", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1571", + "time_created": "2020-07-27T09:30:41.903Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json index c59bb88aa6a..b35c42e9390 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4718-windowssrv2016.json-expected.json @@ -1,84 +1,83 @@ { "expected": [ { + "@timestamp": "2020-07-27T09:30:41.877Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "2ab86036-bb3b-4131-a797-34f5dca7b048", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-07-27T09:30:41.877Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6", - "process": { - "pid": 776, - "thread": { - "id": 820 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "channel": "Security", - "event_data": { - "AccessRemoved": "SeNetworkLogonRight", - "TargetSid": "S-1-5-32-545", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "SubjectUserSid": "S-1-5-18" - }, - "opcode": "Info", - "record_id": "1565", - "event_id": "4718", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", - "time_created": "2020-07-27T09:30:41.877Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6" - }, "event": { - "ingested": "2022-01-12T04:30:20.028558465Z", - "code": "4718", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "system-security-access-removed", "category": [ "iam", "configuration" ], + "code": "4718", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "admin", "deletion" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4718_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] }, "user": { - "name": "WIN-BVM4LI1L1Q6$", "domain": "WORKGROUP", - "id": "S-1-5-18" + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{b69bb9ff-63f5-0000-35ba-9bb6f563d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6", + "event_data": { + "AccessRemoved": "SeNetworkLogonRight", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18", + "TargetSid": "S-1-5-32-545" + }, + "event_id": "4718", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1565", + "time_created": "2020-07-27T09:30:41.877Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json index 281792e9cf3..51c28011e68 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4719-windowssrv2016.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2020-08-18T13:45:57.480Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "615d6dcc-ad38-494d-a4d6-bc35a1bcb7fe", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-08-18T13:45:57.480Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 780, - "thread": { - "id": 2764 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x44d7d" - }, - "channel": "Security", - "event_data": { - "CategoryId": "%%8274", - "SubjectUserName": "Administrator", - "Category": "Object Access", - "AuditPolicyChanges": "%%8448", - "SubcategoryId": "%%12804", - "SubCategory": "Other Object Access Events", - "SubjectDomainName": "TEST", - "AuditPolicyChangesDescription": [ - "Success removed" - ], - "SubjectLogonId": "0x44d7d", - "SubcategoryGuid": "{0cce9227-69ae-11d9-bed3-505054503030}", - "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" - }, - "opcode": "Info", - "record_id": "123879", - "event_id": "4719", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{65461d39-753f-0000-731d-46653f75d601}", - "time_created": "2020-08-18T13:45:57.480Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, "event": { - "ingested": "2022-01-12T04:30:20.513042479Z", - "code": "4719", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "changed-audit-config", "category": [ "iam", "configuration" ], + "code": "4719", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "admin", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4719_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", "domain": "TEST", - "id": "S-1-5-21-2024912787-2692429404-2351956786-500" + "id": "S-1-5-21-2024912787-2692429404-2351956786-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{65461d39-753f-0000-731d-46653f75d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "AuditPolicyChanges": "%%8448", + "AuditPolicyChangesDescription": [ + "Success removed" + ], + "Category": "Object Access", + "CategoryId": "%%8274", + "SubCategory": "Other Object Access Events", + "SubcategoryGuid": "{0cce9227-69ae-11d9-bed3-505054503030}", + "SubcategoryId": "%%12804", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x44d7d", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-2024912787-2692429404-2351956786-500" + }, + "event_id": "4719", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x44d7d" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 2764 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "123879", + "time_created": "2020-08-18T13:45:57.480Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json index 92f882dc4d0..c23e65ecc39 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4719.json-expected.json @@ -1,92 +1,91 @@ { "expected": [ { + "@timestamp": "2019-11-07T15:22:57.655Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "a5d5ef8c-c4b4-402a-9d5d-a3643947e76a", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-11-07T15:22:57.655Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 2944 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "channel": "Security", - "event_data": { - "CategoryId": "%%8273", - "SubjectUserName": "WIN-41OB2LO92CR$", - "Category": "Logon/Logoff", - "AuditPolicyChanges": "%%8449, %%8451", - "SubcategoryId": "%%12552", - "SubCategory": "Network Policy Server", - "SubjectDomainName": "WLBEAT", - "AuditPolicyChangesDescription": [ - "Success Added", - "Failure Added" - ], - "SubjectLogonId": "0x3e7", - "SubcategoryGuid": "{0cce9243-69ae-11d9-bed3-505054503030}", - "SubjectUserSid": "S-1-5-18" - }, - "opcode": "Info", - "record_id": "17154", - "event_id": "4719", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{3eef0a0d-9551-0000-140c-ef3e5195d501}", - "time_created": "2019-11-07T15:22:57.655Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-41OB2LO92CR$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4719.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:30:21.487739019Z", - "code": "4719", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "changed-audit-config", "category": [ "iam", "configuration" ], + "code": "4719", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "admin", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4719.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-41OB2LO92CR$" + ] }, "user": { - "name": "WIN-41OB2LO92CR$", "domain": "WLBEAT", - "id": "S-1-5-18" + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$" + }, + "winlog": { + "activity_id": "{3eef0a0d-9551-0000-140c-ef3e5195d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "AuditPolicyChanges": "%%8449, %%8451", + "AuditPolicyChangesDescription": [ + "Success Added", + "Failure Added" + ], + "Category": "Logon/Logoff", + "CategoryId": "%%8273", + "SubCategory": "Network Policy Server", + "SubcategoryGuid": "{0cce9243-69ae-11d9-bed3-505054503030}", + "SubcategoryId": "%%12552", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4719", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 2944 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "17154", + "time_created": "2019-11-07T15:22:57.655Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json index df66d51ced5..e661faa33fa 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4739-windowssrv2016.json-expected.json @@ -1,88 +1,87 @@ { "expected": [ { + "@timestamp": "2020-07-27T09:34:50.157Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "bd63c19a-cad0-4833-9b84-5ed4e7e27cc5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-07-27T09:34:50.157Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 776, - "thread": { - "id": 812 - } - }, - "keywords": [ - "Audit Success" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "domain-policy-changed", + "category": [ + "configuration" ], - "level": "information", - "logon": { - "id": "0x3e7" + "code": "4739", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.xml" }, + "level": "information" + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", "event_data": { + "DomainBehaviorVersion": "-", "DomainName": "TEST", - "SubjectLogonId": "0x3e7", - "PasswordHistoryLength": "-", + "DomainPolicyChanged": "Password Policy", "DomainSid": "S-1-5-21-2024912787-2692429404-2351956786", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "OemInformation": "-", "MachineAccountQuota": "-", "MixedDomainMode": "-", - "SubjectDomainName": "TEST", - "DomainBehaviorVersion": "-", - "DomainPolicyChanged": "Password Policy", + "OemInformation": "-", + "PasswordHistoryLength": "-", "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", "SubjectUserSid": "S-1-5-18" }, - "opcode": "Info", - "record_id": "3532", "event_id": "4739", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 812 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-07-27T09:34:50.157Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4739_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "event": { - "ingested": "2022-01-12T04:30:21.758149273Z", - "code": "4739", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "domain-policy-changed", - "category": [ - "configuration" - ], - "type": [ - "change" - ], - "outcome": "success" - }, - "user": { - "name": "WIN-BVM4LI1L1Q6$", - "domain": "TEST", - "id": "S-1-5-18" + "record_id": "3532", + "time_created": "2020-07-27T09:34:50.157Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json index 617385fdfd8..f2ad8d32396 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4743.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-12-18T16:25:21.578Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "851a38b2-b036-44b2-9c64-2ee2c4567d73", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-18T16:25:21.578Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "computerObject": { - "name": "TESTCOMPUTEROBJ$", - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2902" - }, - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "TESTCOMPUTEROBJ$", - "TargetDomainName": "TEST", - "PrivilegeList": [ - "-" - ], - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3699966", - "event_id": "4743", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-18T16:25:21.578Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4743.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T04:30:22.242494865Z", - "code": "4743", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-computer-account", "category": [ "iam" ], + "code": "4743", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "deletion", "admin" - ], - "outcome": "success" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4743.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] }, "user": { - "name": "at_adm", "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computerObject": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2902", + "name": "TESTCOMPUTEROBJ$" + }, + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": [ + "-" + ], + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2902", + "TargetUserName": "TESTCOMPUTEROBJ$" + }, + "event_id": "4743", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3699966", + "time_created": "2019-12-18T16:25:21.578Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json index e504115c963..633a3e5cadb 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4744.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-12-18T16:26:46.874Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "8110911f-6b3a-4c77-9d29-41319d5bfa08", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-18T16:26:46.874Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "testdistlocal", - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testdistlocal", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3699973", - "event_id": "4744", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-18T16:26:46.874Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4744.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T04:30:22.799995585Z", - "code": "4744", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-distribution-group-account", "category": [ "iam" ], + "code": "4744", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "creation" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal" }, - "group": { - "name": "testdistlocal", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4744.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testdistlocal", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal" + }, + "event_id": "4744", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3699973", + "time_created": "2019-12-18T16:26:46.874Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json index 6b4da8fdbea..0bdc8827330 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4745.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-12-18T16:29:05.017Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "cd7f1761-3be1-4d56-bcc6-c0d761791c5c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-18T16:29:05.017Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "testdistlocal1", - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testdistlocal1", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3700000", - "event_id": "4745", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-18T16:29:05.017Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4745.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T04:30:23.290150562Z", - "code": "4745", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "changed-distribution-group-account", "category": [ "iam" ], + "code": "4745", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" }, - "group": { - "name": "testdistlocal1", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4745.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testdistlocal1", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": "4745", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3700000", + "time_created": "2019-12-18T16:29:05.017Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json index 1f22826515c..706c7be48f5 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4746.json-expected.json @@ -1,101 +1,100 @@ { "expected": [ { + "@timestamp": "2019-12-18T16:31:01.611Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "fc9e565f-bcec-4532-805f-3f5b942b5642", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-18T16:31:01.611Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "SubjectDomainName": "TEST", - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testdistlocal1", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3700022", - "event_id": "4746", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-18T16:31:01.611Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4746.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T04:30:23.578103426Z", - "code": "4746", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-member-to-distribution-group", "category": [ "iam" ], + "code": "4746", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4746.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] }, "user": { - "name": "at_adm", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", "target": { - "name": "Administrator", "domain": "SAAS", "group": { - "name": "testdistlocal1", "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903" - } + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "name": "Administrator" } }, - "group": { - "name": "testdistlocal1", - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903" + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": "4746", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3700022", + "time_created": "2019-12-18T16:31:01.611Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json index 49261fa22e0..b2062c4a352 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4747.json-expected.json @@ -1,101 +1,100 @@ { "expected": [ { + "@timestamp": "2019-12-18T16:35:16.681Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "0475a24c-6c58-4fe5-bcca-e508c2ba84a2", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-18T16:35:16.681Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "SubjectDomainName": "TEST", - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testdistlocal1", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3700064", - "event_id": "4747", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-18T16:35:16.681Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4747.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T04:30:24.558007434Z", - "code": "4747", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "removed-member-from-distribution-group", "category": [ "iam" ], + "code": "4747", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4747.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] }, "user": { - "name": "at_adm", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", "target": { - "name": "Administrator", "domain": "SAAS", "group": { - "name": "testdistlocal1", "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903" - } + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" + }, + "name": "Administrator" } }, - "group": { - "name": "testdistlocal1", - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903" + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": "4747", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3700064", + "time_created": "2019-12-18T16:35:16.681Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json index 101c234e205..dc0a383cf2a 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4748.json-expected.json @@ -1,89 +1,88 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:01:45.982Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "92ff57cc-8a87-45ee-a407-525b380b8b06", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:01:45.982Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testdistlocal1", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707490", - "event_id": "4748", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:01:45.982Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4748.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T04:30:24.912274464Z", - "code": "4748", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-distribution-group-account", "category": [ "iam" ], + "code": "4748", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "deletion" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2903", + "name": "testdistlocal1" }, - "group": { - "name": "testdistlocal1", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4748.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2903" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2903", + "TargetUserName": "testdistlocal1" + }, + "event_id": "4748", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707490", + "time_created": "2019-12-19T08:01:45.982Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json index 7bbc34027e2..c33b185fe01 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4749.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:03:42.723Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "45230148-94bf-45cf-8eb1-339760e041d3", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:03:42.723Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "testglobal", - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testglobal", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707497", - "event_id": "4749", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:03:42.723Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4749.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T04:30:25.303461550Z", - "code": "4749", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-distribution-group-account", "category": [ "iam" ], + "code": "4749", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "creation" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal" }, - "group": { - "name": "testglobal", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4749.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testglobal", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal" + }, + "event_id": "4749", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707497", + "time_created": "2019-12-19T08:03:42.723Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json index d27e89f5199..97d6c312747 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4750.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:10:57.473Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "764fe6a7-38ac-43f0-b125-6388fd0c33e6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:10:57.473Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "testglobal1", - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testglobal1", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707550", - "event_id": "4750", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:10:57.473Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4750.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T04:30:26.026354551Z", - "code": "4750", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "changed-distribution-group-account", "category": [ "iam" ], + "code": "4750", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" }, - "group": { - "name": "testglobal1", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4750.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testglobal1", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": "4750", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707550", + "time_created": "2019-12-19T08:10:57.473Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json index 51d5c1b7860..ec431cdf4a3 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4751.json-expected.json @@ -1,101 +1,100 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:20:29.088Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "217ae042-3cca-46d1-bfa9-e65a2044307b", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:20:29.088Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "SubjectDomainName": "TEST", - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testglobal1", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707667", - "event_id": "4751", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:20:29.088Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4751.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T04:30:26.458025088Z", - "code": "4751", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-member-to-distribution-group", "category": [ "iam" ], + "code": "4751", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4751.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] }, "user": { - "name": "at_adm", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", "target": { - "name": "Administrator", "domain": "SAAS", "group": { - "name": "testglobal1", "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904" - } + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "name": "Administrator" } }, - "group": { - "name": "testglobal1", - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904" + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": "4751", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707667", + "time_created": "2019-12-19T08:20:29.088Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json index afbfc9685de..4cce57269f8 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4752.json-expected.json @@ -1,101 +1,100 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:21:23.644Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "60028370-f07b-4e9d-a025-de2a73da6d62", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:21:23.644Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "SubjectDomainName": "TEST", - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testglobal1", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707686", - "event_id": "4752", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:21:23.644Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4752.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T04:30:27.217947423Z", - "code": "4752", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "removed-member-from-distribution-group", "category": [ "iam" ], + "code": "4752", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4752.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] }, "user": { - "name": "at_adm", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", "target": { - "name": "Administrator", "domain": "SAAS", "group": { - "name": "testglobal1", "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904" - } + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" + }, + "name": "Administrator" } }, - "group": { - "name": "testglobal1", - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904" + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": "4752", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707686", + "time_created": "2019-12-19T08:21:23.644Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json index 212d6e50756..7a07ac8e1e0 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4753.json-expected.json @@ -1,89 +1,88 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:24:36.595Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "35c58767-a921-4503-a9ea-086fb7326910", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:24:36.595Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1076 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testglobal1", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707709", - "event_id": "4753", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:24:36.595Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4753.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T04:30:27.808738895Z", - "code": "4753", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-distribution-group-account", "category": [ "iam" ], + "code": "4753", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "deletion" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2904", + "name": "testglobal1" }, - "group": { - "name": "testglobal1", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4753.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2904" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2904", + "TargetUserName": "testglobal1" + }, + "event_id": "4753", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1076 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707709", + "time_created": "2019-12-19T08:24:36.595Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json index 96ccdbeb449..878534a9787 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4759.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:26:26.143Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "c67ac17a-6afd-4a2e-a1e9-5177024c937c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:26:26.143Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "testuni", - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testuni", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707737", - "event_id": "4759", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:26:26.143Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4759.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T04:30:28.181859256Z", - "code": "4759", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-distribution-group-account", "category": [ "iam" ], + "code": "4759", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "creation" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni" }, - "group": { - "name": "testuni", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4759.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testuni", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni" + }, + "event_id": "4759", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707737", + "time_created": "2019-12-19T08:26:26.143Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json index 37fa655e630..7ee77583c73 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4760.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:28:21.030Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "9bad4bd9-375e-474f-b410-74962cfaccd0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:28:21.030Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "testuni2", - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "SidHistory": "-", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testuni2", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707745", - "event_id": "4760", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:28:21.030Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4760.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T04:30:28.756383438Z", - "code": "4760", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "changed-distribution-group-account", "category": [ "iam" ], + "code": "4760", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" }, - "group": { - "name": "testuni2", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4760.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "testuni2", + "SidHistory": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": "4760", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707745", + "time_created": "2019-12-19T08:28:21.030Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json index 3e76f0deaa8..7a0d928437e 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4761.json-expected.json @@ -1,101 +1,100 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:29:38.448Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "cae437da-c042-490f-95a6-c9e54a2d15db", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:29:38.448Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "SubjectDomainName": "TEST", - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testuni2", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707755", - "event_id": "4761", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:29:38.448Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4761.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T04:30:29.251791824Z", - "code": "4761", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-member-to-distribution-group", "category": [ "iam" ], + "code": "4761", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4761.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] }, "user": { - "name": "at_adm", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", "target": { - "name": "Administrator", "domain": "SAAS", "group": { - "name": "testuni2", "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905" - } + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "name": "Administrator" } }, - "group": { - "name": "testuni2", - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905" + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": "4761", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707755", + "time_created": "2019-12-19T08:29:38.448Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json index a2411b28b5d..ee41c5f4cce 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4762.json-expected.json @@ -1,101 +1,100 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:33:25.967Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "41db62b1-ba4b-4ca5-b44a-41d30f14b154", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:33:25.967Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "SubjectDomainName": "TEST", - "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testuni2", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707841", - "event_id": "4762", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:33:25.967Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4762.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T04:30:30.044700943Z", - "code": "4762", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "removed-member-from-distribution-group", "category": [ "iam" ], + "code": "4762", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4762.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "at_adm" + ] }, "user": { - "name": "at_adm", - "id": "S-1-5-21-1717121054-434620538-60925301-2794", "domain": "TEST", + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm", "target": { - "name": "Administrator", "domain": "SAAS", "group": { - "name": "testuni2", "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905" - } + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" + }, + "name": "Administrator" } }, - "group": { - "name": "testuni2", - "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905" + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=TEST,DC=SAAS", + "MemberSid": "S-1-5-21-1717121054-434620538-60925301-500", + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": "4762", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707841", + "time_created": "2019-12-19T08:33:25.967Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json index 3f0322dc533..1c0b9338d41 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4763.json-expected.json @@ -1,89 +1,88 @@ { "expected": [ { + "@timestamp": "2019-12-19T08:34:23.162Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "34714bdd-4b69-48f1-a4c6-c02799139342", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-12-19T08:34:23.162Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 492, - "thread": { - "id": 1348 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x2e67800" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "at_adm", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x2e67800", - "TargetUserName": "testuni2", - "TargetDomainName": "TEST", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794" - }, - "opcode": "Info", - "record_id": "3707847", - "event_id": "4763", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-12-19T08:34:23.162Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4763.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, "event": { - "ingested": "2022-01-12T04:30:30.578643627Z", - "code": "4763", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-distribution-group-account", "category": [ "iam" ], + "code": "4763", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "deletion" - ], - "outcome": "success" + ] }, - "user": { - "name": "at_adm", + "group": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2905", + "name": "testuni2" }, - "group": { - "name": "testuni2", + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4763.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { "domain": "TEST", - "id": "S-1-5-21-1717121054-434620538-60925301-2905" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x2e67800", + "SubjectUserName": "at_adm", + "SubjectUserSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetDomainName": "TEST", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2905", + "TargetUserName": "testuni2" + }, + "event_id": "4763", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x2e67800" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 492, + "thread": { + "id": 1348 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3707847", + "time_created": "2019-12-19T08:34:23.162Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json index a83e69f5e44..d62f0f64de6 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4817-windowssrv2016.json-expected.json @@ -1,89 +1,88 @@ { "expected": [ { + "@timestamp": "2020-08-17T12:49:09.494Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "c7c0a49b-a78b-4dd9-8928-44e2fc4322a9", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-08-17T12:49:09.494Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 776, - "thread": { - "id": 3052 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "channel": "Security", - "event_data": { - "ObjectType": "Global SACL", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "ObjectServer": "LSA", - "SubjectDomainName": "TEST", - "NewSd": "S:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)", - "SubjectLogonId": "0x3e7", - "NewSdSacl1": "null :System Audit ([Create All Child Objects, Delete All Child Objects, List Contents, All Validated, Read All Properties, Write All Properties, Delete Subtree, List Object, All Extended Rights, Delete, Read Permissions, Modify Permissions, Modify Owner])", - "NewSdSacl0": "Administrator :System Audit ([Create All Child Objects, Delete All Child Objects, List Contents, All Validated, Read All Properties, Write All Properties, Delete Subtree, List Object, All Extended Rights, Delete, Read Permissions, Modify Permissions, Modify Owner])", - "SubjectUserSid": "S-1-5-18", - "ObjectName": "File" - }, - "opcode": "Info", - "record_id": "114278", - "event_id": "4817", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{dfcd2c2a-7481-0000-682c-cddf8174d601}", - "time_created": "2020-08-17T12:49:09.494Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$", - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, "event": { - "ingested": "2022-01-12T04:30:31.089974785Z", - "code": "4817", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "object-audit-changed", "category": [ "iam", "configuration" ], + "code": "4817", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "admin", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4817_WindowsSrv2016.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$", + "Administrator" + ] }, "user": { - "name": "WIN-BVM4LI1L1Q6$", "domain": "TEST", - "id": "S-1-5-18" + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" + }, + "winlog": { + "activity_id": "{dfcd2c2a-7481-0000-682c-cddf8174d601}", + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "NewSd": "S:(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-500)(AU;SA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-2024912787-2692429404-2351956786-1000)", + "NewSdSacl0": "Administrator :System Audit ([Create All Child Objects, Delete All Child Objects, List Contents, All Validated, Read All Properties, Write All Properties, Delete Subtree, List Object, All Extended Rights, Delete, Read Permissions, Modify Permissions, Modify Owner])", + "NewSdSacl1": "null :System Audit ([Create All Child Objects, Delete All Child Objects, List Contents, All Validated, Read All Properties, Write All Properties, Delete Subtree, List Object, All Extended Rights, Delete, Read Permissions, Modify Permissions, Modify Owner])", + "ObjectName": "File", + "ObjectServer": "LSA", + "ObjectType": "Global SACL", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" + }, + "event_id": "4817", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 3052 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "114278", + "time_created": "2020-08-17T12:49:09.494Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json index 00d96f9c32a..90ff128ffee 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4902-windowssrv2016.json-expected.json @@ -1,66 +1,65 @@ { "expected": [ { + "@timestamp": "2020-08-19T06:07:08.801Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "fc71c55d-e66b-404f-933a-7bf02109440e", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-08-19T06:07:08.801Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 784, - "thread": { - "id": 832 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "channel": "Security", - "event_data": { - "PuaCount": "0", - "PuaPolicyId": "0x9fd2" - }, - "opcode": "Info", - "record_id": "140273", - "event_id": "4902", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-08-19T06:07:08.801Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, "event": { - "ingested": "2022-01-12T04:30:31.821300387Z", - "code": "4902", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "user-audit-policy-created", "category": [ "iam", "configuration" ], + "code": "4902", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "admin", "creation" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4902_WindowsSrv2016.xml" + }, + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "PuaCount": "0", + "PuaPolicyId": "0x9fd2" + }, + "event_id": "4902", + "keywords": [ + "Audit Success" ], - "outcome": "success" + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 784, + "thread": { + "id": 832 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "140273", + "time_created": "2020-08-19T06:07:08.801Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json index 802b73037f6..0cff5cf1919 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4904-windowssrv2016.json-expected.json @@ -1,27 +1,69 @@ { "expected": [ { + "@timestamp": "2020-08-19T07:56:52.019Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "14ac41cb-35f1-42cd-abe2-03f4a8a6a47c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "security-event-source-added", + "category": [ + "iam", + "configuration" + ], + "code": "4904", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.xml" + }, + "level": "information" + }, "process": { + "executable": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe", "name": "inetinfo.exe", - "pid": 3608, - "executable": "C:\\Windows\\System32\\inetsrv\\inetinfo.exe" + "pid": 3608 + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" }, - "@timestamp": "2020-08-19T07:56:52.019Z", "winlog": { + "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", + "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 784, - "thread": { - "id": 824 - } + "event_data": { + "AuditSourceName": "IIS-METABASE", + "EventSourceId": "0x460422", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" }, + "event_id": "4904", "keywords": [ "Audit Success" ], @@ -29,61 +71,18 @@ "logon": { "id": "0x3e7" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "AuditSourceName": "IIS-METABASE", - "SubjectUserSid": "S-1-5-18", - "EventSourceId": "0x460422" - }, "opcode": "Info", - "record_id": "146939", - "event_id": "4904", + "outcome": "success", + "process": { + "pid": 784, + "thread": { + "id": 824 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", - "time_created": "2020-08-19T07:56:52.019Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4904_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "event": { - "ingested": "2022-01-12T04:30:31.989762149Z", - "code": "4904", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "security-event-source-added", - "category": [ - "iam", - "configuration" - ], - "type": [ - "admin", - "change" - ], - "outcome": "success" - }, - "user": { - "name": "WIN-BVM4LI1L1Q6$", - "domain": "TEST", - "id": "S-1-5-18" + "record_id": "146939", + "time_created": "2020-08-19T07:56:52.019Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json index ca1add7362d..d82389c5756 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4905-windowssrv2016.json-expected.json @@ -1,27 +1,69 @@ { "expected": [ { + "@timestamp": "2020-08-19T07:56:51.579Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "5006f11d-fa2c-4238-810b-aa5e25ec5399", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "security-event-source-removed", + "category": [ + "iam", + "configuration" + ], + "code": "4905", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "deletion" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.xml" + }, + "level": "information" + }, "process": { + "executable": "-", "name": "-", - "pid": 4964, - "executable": "-" + "pid": 4964 + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" }, - "@timestamp": "2020-08-19T07:56:51.579Z", "winlog": { + "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", + "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 784, - "thread": { - "id": 824 - } + "event_data": { + "AuditSourceName": "IIS-METABASE", + "EventSourceId": "0x457b22", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" }, + "event_id": "4905", "keywords": [ "Audit Success" ], @@ -29,61 +71,18 @@ "logon": { "id": "0x3e7" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "AuditSourceName": "IIS-METABASE", - "SubjectUserSid": "S-1-5-18", - "EventSourceId": "0x457b22" - }, "opcode": "Info", - "record_id": "146938", - "event_id": "4905", + "outcome": "success", + "process": { + "pid": 784, + "thread": { + "id": 824 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{dab46f85-75ee-0000-c36f-b4daee75d601}", - "time_created": "2020-08-19T07:56:51.579Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4905_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "event": { - "ingested": "2022-01-12T04:30:32.268417649Z", - "code": "4905", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "security-event-source-removed", - "category": [ - "iam", - "configuration" - ], - "type": [ - "admin", - "deletion" - ], - "outcome": "success" - }, - "user": { - "name": "WIN-BVM4LI1L1Q6$", - "domain": "TEST", - "id": "S-1-5-18" + "record_id": "146938", + "time_created": "2020-08-19T07:56:51.579Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json index fbcdefe8ab0..799d71df1a3 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4906-windowssrv2016.json-expected.json @@ -1,65 +1,64 @@ { "expected": [ { + "@timestamp": "2020-08-18T09:19:00.237Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "00431590-51a2-47a6-a2bf-f0ceaed9fa0f", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-08-18T09:19:00.237Z", - "winlog": { - "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 780, - "thread": { - "id": 804 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "channel": "Security", - "event_data": { - "CrashOnAuditFailValue": "1" - }, - "opcode": "Info", - "record_id": "123786", - "event_id": "4906", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-08-18T09:19:00.237Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, "event": { - "ingested": "2022-01-12T04:30:32.900912681Z", - "code": "4906", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "crash-on-audit-changed", "category": [ "iam", "configuration" ], + "code": "4906", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "admin", "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4906_WindowsSrv2016.xml" + }, + "level": "information" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", + "event_data": { + "CrashOnAuditFailValue": "1" + }, + "event_id": "4906", + "keywords": [ + "Audit Success" ], - "outcome": "success" + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 804 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "123786", + "time_created": "2020-08-18T09:19:00.237Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json index 95165bfa40d..5b929d394e2 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-4907-windowssrv2016.json-expected.json @@ -1,27 +1,72 @@ { "expected": [ { + "@timestamp": "2020-08-19T07:56:17.112Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "d42932a5-9237-4c88-b833-60e3b66915d8", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "audit-setting-changed", + "category": [ + "iam", + "configuration" + ], + "code": "4907", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin", + "change" + ] + }, + "host": { + "name": "WIN-BVM4LI1L1Q6.TEST.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.xml" + }, + "level": "information" + }, "process": { + "executable": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe", "name": "TiWorker.exe", - "pid": 4300, - "executable": "C:\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.1883_none_7ed84bd822106081\\TiWorker.exe" + "pid": 4300 + }, + "related": { + "user": [ + "WIN-BVM4LI1L1Q6$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "WIN-BVM4LI1L1Q6$" }, - "@timestamp": "2020-08-19T07:56:17.112Z", "winlog": { + "channel": "Security", "computer_name": "WIN-BVM4LI1L1Q6.TEST.local", - "process": { - "pid": 4, - "thread": { - "id": 408 - } + "event_data": { + "HandleId": "0x93c", + "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", + "NewSdSacl0": "Everyone :System Audit ([Delete All Child Objects, List Contents, Read All Properties, All Extended Rights, Delete, Modify Permissions, Modify Owner])", + "ObjectName": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1", + "ObjectServer": "Security", + "ObjectType": "File", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-BVM4LI1L1Q6$", + "SubjectUserSid": "S-1-5-18" }, + "event_id": "4907", "keywords": [ "Audit Success" ], @@ -29,64 +74,18 @@ "logon": { "id": "0x3e7" }, - "channel": "Security", - "event_data": { - "ObjectType": "File", - "SubjectUserName": "WIN-BVM4LI1L1Q6$", - "ObjectServer": "Security", - "HandleId": "0x93c", - "SubjectDomainName": "TEST", - "NewSd": "S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)", - "SubjectLogonId": "0x3e7", - "NewSdSacl0": "Everyone :System Audit ([Delete All Child Objects, List Contents, Read All Properties, All Extended Rights, Delete, Modify Permissions, Modify Owner])", - "SubjectUserSid": "S-1-5-18", - "ObjectName": "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\RemoteAccess\\RemoteAccess.psd1" - }, "opcode": "Info", - "record_id": "146933", - "event_id": "4907", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 408 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-08-19T07:56:17.112Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "WIN-BVM4LI1L1Q6$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/4907_WindowsSrv2016.xml" - } - }, - "host": { - "name": "WIN-BVM4LI1L1Q6.TEST.local" - }, - "event": { - "ingested": "2022-01-12T04:30:33.215599528Z", - "code": "4907", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "audit-setting-changed", - "category": [ - "iam", - "configuration" - ], - "type": [ - "admin", - "change" - ], - "outcome": "success" - }, - "user": { - "name": "WIN-BVM4LI1L1Q6$", - "domain": "TEST", - "id": "S-1-5-18" + "record_id": "146933", + "time_created": "2020-08-19T07:56:17.112Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json index d41acf4ea09..a50b4fc2ecc 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4673.json-expected.json @@ -1,27 +1,69 @@ { "expected": [ { + "@timestamp": "2020-04-06T06:39:04.549Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "f86f8f87-0401-4d4d-a9b3-d3a9a524dde2", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "privileged-service-called", + "category": [ + "iam" + ], + "code": "4673", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "admin" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.xml" + }, + "level": "information" + }, "process": { + "executable": "C:\\Windows\\System32\\lsass.exe", "name": "lsass.exe", - "pid": 496, - "executable": "C:\\Windows\\System32\\lsass.exe" + "pid": 496 + }, + "related": { + "user": [ + "DC_TEST2K12$" + ] + }, + "user": { + "domain": "TEST", + "id": "S-1-5-18", + "name": "DC_TEST2K12$" }, - "@timestamp": "2020-04-06T06:39:04.549Z", "winlog": { + "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 496, - "thread": { - "id": 504 - } + "event_data": { + "ObjectServer": "NT Local Security Authority / Authentication Service", + "PrivilegeList": [ + "SeTcbPrivilege" + ], + "Service": "LsaRegisterLogonProcess()", + "SubjectDomainName": "TEST", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "DC_TEST2K12$", + "SubjectUserSid": "S-1-5-18" }, + "event_id": "4673", "keywords": [ "Audit Success" ], @@ -29,61 +71,18 @@ "logon": { "id": "0x3e7" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "DC_TEST2K12$", - "ObjectServer": "NT Local Security Authority / Authentication Service", - "Service": "LsaRegisterLogonProcess()", - "SubjectDomainName": "TEST", - "SubjectLogonId": "0x3e7", - "PrivilegeList": [ - "SeTcbPrivilege" - ], - "SubjectUserSid": "S-1-5-18" - }, "opcode": "Info", - "record_id": "5109160", - "event_id": "4673", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 504 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-04-06T06:39:04.549Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "DC_TEST2K12$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4673.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "event": { - "ingested": "2022-01-12T04:30:33.511008416Z", - "code": "4673", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "privileged-service-called", - "category": [ - "iam" - ], - "type": [ - "admin" - ], - "outcome": "success" - }, - "user": { - "name": "DC_TEST2K12$", - "domain": "TEST", - "id": "S-1-5-18" + "record_id": "5109160", + "time_created": "2020-04-06T06:39:04.549Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json index eb4d3784198..073bab47605 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4697.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2020-04-02T14:34:08.889Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "961c8568-c795-47e6-8d9f-661cdab1fac0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-04-02T14:34:08.889Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 792, - "thread": { - "id": 2492 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4c323" - }, - "channel": "Security", - "event_data": { - "ServiceAccount": "LocalSystem", - "SubjectUserName": "Administrator", - "ServiceStartType": "2", - "ServiceName": "winlogbeat", - "ServiceType": "0x10", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4c323", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "ServiceFileName": "\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" -path.home \"C:\\Program Files\\Winlogbeat\" -path.data \"C:\\ProgramData\\winlogbeat\" -path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true" - }, - "opcode": "Info", - "record_id": "90108", - "event_id": "4697", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{74b64d41-08ce-0000-454f-b674ce08d601}", - "time_created": "2020-04-02T14:34:08.889Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.xml" - } - }, - "service": { - "name": "winlogbeat", - "type": "Win32 Own Process" - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:30:34.030690266Z", - "code": "4697", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "service-installed", "category": [ "iam", "configuration" ], + "code": "4697", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "admin", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4697.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "service": { + "name": "winlogbeat", + "type": "Win32 Own Process" }, "user": { - "name": "Administrator", "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "activity_id": "{74b64d41-08ce-0000-454f-b674ce08d601}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "ServiceAccount": "LocalSystem", + "ServiceFileName": "\"C:\\Program Files\\Winlogbeat\\winlogbeat.exe\" -c \"C:\\Program Files\\Winlogbeat\\winlogbeat.yml\" -path.home \"C:\\Program Files\\Winlogbeat\" -path.data \"C:\\ProgramData\\winlogbeat\" -path.logs \"C:\\ProgramData\\winlogbeat\\logs\" -E logging.files.redirect_stderr=true", + "ServiceName": "winlogbeat", + "ServiceStartType": "2", + "ServiceType": "0x10", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4c323", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + }, + "event_id": "4697", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4c323" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 792, + "thread": { + "id": 2492 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "90108", + "time_created": "2020-04-02T14:34:08.889Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json index 209435d0fe9..8762189d3fe 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4768.json-expected.json @@ -1,99 +1,98 @@ { "expected": [ { + "@timestamp": "2020-04-01T08:45:44.171Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "2e71c92e-5c70-4ea4-aad7-d3a2174f2a6d", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 496, - "thread": { - "id": 2868 - } - }, - "keywords": [ - "Audit Success" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "kerberos-authentication-ticket-requested", + "category": [ + "authentication" ], - "level": "information", - "channel": "Security", - "event_data": { - "PreAuthType": "2", - "Status": "0x0", - "TicketEncryptionType": "0x12", - "ServiceName": "krbtgt", - "TicketOptionsDescription": [ - "Forwardable", - "Renewable-ok", - "Name-canonicalize", - "Renewable" - ], - "StatusDescription": "KDC_ERR_NONE", - "TicketOptions": "0x40810010", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2794", - "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", - "TargetUserName": "at_adm", - "TargetDomainName": "TEST.SAAS", - "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96" - }, - "opcode": "Info", - "record_id": "5040235", - "event_id": "4768", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-04-01T08:45:44.171Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "code": "4768", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" }, "log": { - "level": "information", "file": { "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4768.xml" - } - }, - "source": { - "port": 0, - "ip": "::1" - }, - "@timestamp": "2020-04-01T08:45:44.171Z", - "ecs": { - "version": "8.0.0" + }, + "level": "information" }, "related": { - "user": [ - "at_adm" - ], "ip": [ "::1" + ], + "user": [ + "at_adm" ] }, "service": { "name": "krbtgt" }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "event": { - "ingested": "2022-01-12T04:30:34.591838494Z", - "code": "4768", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "kerberos-authentication-ticket-requested", - "category": [ - "authentication" - ], - "type": [ - "start" - ], - "outcome": "success" + "source": { + "ip": "::1", + "port": 0 }, "user": { - "name": "at_adm", "domain": "TEST.SAAS", - "id": "S-1-5-21-1717121054-434620538-60925301-2794" + "id": "S-1-5-21-1717121054-434620538-60925301-2794", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PreAuthType": "2", + "ServiceName": "krbtgt", + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", + "Status": "0x0", + "StatusDescription": "KDC_ERR_NONE", + "TargetDomainName": "TEST.SAAS", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-2794", + "TargetUserName": "at_adm", + "TicketEncryptionType": "0x12", + "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", + "TicketOptions": "0x40810010", + "TicketOptionsDescription": [ + "Forwardable", + "Renewable-ok", + "Name-canonicalize", + "Renewable" + ] + }, + "event_id": "4768", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 2868 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5040235", + "time_created": "2020-04-01T08:45:44.171Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json index e03855fa907..ac8d7d2ccc2 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4769.json-expected.json @@ -1,97 +1,96 @@ { "expected": [ { + "@timestamp": "2020-04-01T08:45:44.171Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "d417a772-3290-465f-97d4-7e1221f76934", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 496, - "thread": { - "id": 2868 - } - }, - "keywords": [ - "Audit Success" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "kerberos-service-ticket-requested", + "category": [ + "authentication" ], - "level": "information", - "channel": "Security", - "event_data": { - "Status": "0x0", - "TicketEncryptionType": "0x12", - "LogonGuid": "{46f85809-d26e-96f5-fbf2-73bd761a2d68}", - "ServiceName": "DC_TEST2K12$", - "TicketOptionsDescription": [ - "Forwardable", - "Name-canonicalize", - "Renewable" - ], - "StatusDescription": "KDC_ERR_NONE", - "TicketOptions": "0x40810000", - "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-1110", - "TransmittedServices": "-", - "TargetUserName": "at_adm@TEST.SAAS", - "TargetDomainName": "TEST.SAAS", - "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96" - }, - "opcode": "Info", - "record_id": "5040236", - "event_id": "4769", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-04-01T08:45:44.171Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "code": "4769", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" }, "log": { - "level": "information", "file": { "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4769.xml" - } - }, - "source": { - "port": 0, - "ip": "::1" - }, - "@timestamp": "2020-04-01T08:45:44.171Z", - "ecs": { - "version": "8.0.0" + }, + "level": "information" }, "related": { - "user": [ - "at_adm" - ], "ip": [ "::1" + ], + "user": [ + "at_adm" ] }, "service": { "name": "DC_TEST2K12$" }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "event": { - "ingested": "2022-01-12T04:30:35.105404731Z", - "code": "4769", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "kerberos-service-ticket-requested", - "category": [ - "authentication" - ], - "type": [ - "start" - ], - "outcome": "success" + "source": { + "ip": "::1", + "port": 0 }, "user": { - "name": "at_adm", - "domain": "TEST.SAAS" + "domain": "TEST.SAAS", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "LogonGuid": "{46f85809-d26e-96f5-fbf2-73bd761a2d68}", + "ServiceName": "DC_TEST2K12$", + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-1110", + "Status": "0x0", + "StatusDescription": "KDC_ERR_NONE", + "TargetDomainName": "TEST.SAAS", + "TargetUserName": "at_adm@TEST.SAAS", + "TicketEncryptionType": "0x12", + "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", + "TicketOptions": "0x40810000", + "TicketOptionsDescription": [ + "Forwardable", + "Name-canonicalize", + "Renewable" + ], + "TransmittedServices": "-" + }, + "event_id": "4769", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 2868 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5040236", + "time_created": "2020-04-01T08:45:44.171Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json index cf3420bdbd6..9bf1289ffc2 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4770.json-expected.json @@ -1,92 +1,91 @@ { "expected": [ { + "@timestamp": "2020-04-01T07:32:55.010Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "ecb4944b-a4a6-4a12-be3c-2aa7175c6f7c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 496, - "thread": { - "id": 4468 - } - }, - "keywords": [ - "Audit Success" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "kerberos-service-ticket-renewed", + "category": [ + "authentication" ], - "level": "information", - "channel": "Security", - "event_data": { - "TicketEncryptionType": "0x12", - "ServiceName": "krbtgt", - "TicketOptionsDescription": [ - "Name-canonicalize", - "Renew" - ], - "TicketOptions": "0x10002", - "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", - "TargetUserName": "DC_TEST2K12$@TEST.SAAS", - "TargetDomainName": "TEST.SAAS", - "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96" - }, - "opcode": "Info", - "record_id": "5039598", - "event_id": "4770", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-04-01T07:32:55.010Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "code": "4770", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" }, "log": { - "level": "information", "file": { "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4770.xml" - } - }, - "source": { - "port": 0, - "ip": "::1" - }, - "@timestamp": "2020-04-01T07:32:55.010Z", - "ecs": { - "version": "8.0.0" + }, + "level": "information" }, "related": { - "user": [ - "DC_TEST2K12$" - ], "ip": [ "::1" + ], + "user": [ + "DC_TEST2K12$" ] }, "service": { "name": "krbtgt" }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "event": { - "ingested": "2022-01-12T04:30:35.704737221Z", - "code": "4770", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "kerberos-service-ticket-renewed", - "category": [ - "authentication" - ], - "type": [ - "start" - ], - "outcome": "success" + "source": { + "ip": "::1", + "port": 0 }, "user": { - "name": "DC_TEST2K12$", - "domain": "TEST.SAAS" + "domain": "TEST.SAAS", + "name": "DC_TEST2K12$" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "ServiceName": "krbtgt", + "ServiceSid": "S-1-5-21-1717121054-434620538-60925301-502", + "TargetDomainName": "TEST.SAAS", + "TargetUserName": "DC_TEST2K12$@TEST.SAAS", + "TicketEncryptionType": "0x12", + "TicketEncryptionTypeDescription": "AES256-CTS-HMAC-SHA1-96", + "TicketOptions": "0x10002", + "TicketOptionsDescription": [ + "Name-canonicalize", + "Renew" + ] + }, + "event_id": "4770", + "keywords": [ + "Audit Success" + ], + "level": "information", + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 4468 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5039598", + "time_created": "2020-04-01T07:32:55.010Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json index f8f14a96c62..3b8265c25ac 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4771.json-expected.json @@ -1,94 +1,93 @@ { "expected": [ { + "@timestamp": "2020-03-31T07:50:27.168Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "ac571f8c-8d98-4d24-8463-f0e5d0a13bdd", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 496, - "thread": { - "id": 4552 - } - }, - "keywords": [ - "Audit Failure" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "kerberos-preauth-failed", + "category": [ + "authentication" ], - "level": "information", - "channel": "Security", - "event_data": { - "PreAuthType": "0", - "Status": "0x12", - "ServiceName": "krbtgt/test.saas", - "TicketOptionsDescription": [ - "Forwardable", - "Renewable-ok", - "Name-canonicalize", - "Renewable" - ], - "StatusDescription": "KDC_ERR_CLIENT_REVOKED", - "TicketOptions": "0x40810010", - "TargetSid": "S-1-5-21-1717121054-434620538-60925301-3057", - "TargetUserName": "MPUIG" - }, - "opcode": "Info", - "record_id": "5027836", - "event_id": "4771", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-03-31T07:50:27.168Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "failure" + "code": "4771", + "kind": "event", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" }, "log": { - "level": "information", "file": { "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4771.xml" - } - }, - "source": { - "port": 53366, - "ip": "192.168.5.44" - }, - "@timestamp": "2020-03-31T07:50:27.168Z", - "ecs": { - "version": "8.0.0" + }, + "level": "information" }, "related": { - "user": [ - "MPUIG" - ], "ip": [ "192.168.5.44" + ], + "user": [ + "MPUIG" ] }, "service": { "name": "krbtgt/test.saas" }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "event": { - "ingested": "2022-01-12T04:30:36.458226870Z", - "code": "4771", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "kerberos-preauth-failed", - "category": [ - "authentication" - ], - "type": [ - "start" - ], - "outcome": "failure" + "source": { + "ip": "192.168.5.44", + "port": 53366 }, "user": { - "name": "MPUIG", - "id": "S-1-5-21-1717121054-434620538-60925301-3057" + "id": "S-1-5-21-1717121054-434620538-60925301-3057", + "name": "MPUIG" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "PreAuthType": "0", + "ServiceName": "krbtgt/test.saas", + "Status": "0x12", + "StatusDescription": "KDC_ERR_CLIENT_REVOKED", + "TargetSid": "S-1-5-21-1717121054-434620538-60925301-3057", + "TargetUserName": "MPUIG", + "TicketOptions": "0x40810010", + "TicketOptionsDescription": [ + "Forwardable", + "Renewable-ok", + "Name-canonicalize", + "Renewable" + ] + }, + "event_id": "4771", + "keywords": [ + "Audit Failure" + ], + "level": "information", + "opcode": "Info", + "outcome": "failure", + "process": { + "pid": 496, + "thread": { + "id": 4552 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5027836", + "time_created": "2020-03-31T07:50:27.168Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json index 825ae3cb293..c2482777bc7 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4776.json-expected.json @@ -1,22 +1,57 @@ { "expected": [ { + "@timestamp": "2020-04-01T08:45:42.187Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "e3bf3bc5-3815-4ca8-ad10-d40daaa047fc", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-04-01T08:45:42.187Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "credential-validated", + "category": [ + "authentication" + ], + "code": "4776", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "at_adm" + ] + }, + "user": { + "name": "at_adm" + }, "winlog": { + "channel": "Security", "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 496, - "thread": { - "id": 1864 - } + "event_data": { + "PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0", + "Status": "0x0", + "TargetUserName": "at_adm", + "Workstation": "EQP01777" }, + "event_id": "4776", "keywords": [ "Audit Success" ], @@ -26,54 +61,18 @@ "status": "Status OK." } }, - "channel": "Security", - "event_data": { - "Status": "0x0", - "Workstation": "EQP01777", - "TargetUserName": "at_adm", - "PackageName": "MICROSOFT_AUTHENTICATION_PACKAGE_V1_0" - }, "opcode": "Info", - "record_id": "5040222", - "event_id": "4776", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 1864 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-04-01T08:45:42.187Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "at_adm" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4776.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "event": { - "ingested": "2022-01-12T04:30:36.833513658Z", - "code": "4776", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "credential-validated", - "category": [ - "authentication" - ], - "type": [ - "start" - ], - "outcome": "success" - }, - "user": { - "name": "at_adm" + "record_id": "5040222", + "time_created": "2020-04-01T08:45:42.187Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json index 1eda9931784..771655c5811 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4778.json-expected.json @@ -1,88 +1,87 @@ { "expected": [ { + "@timestamp": "2020-04-05T16:33:32.388Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "f305e9f9-96b1-4f18-a864-144e6a3fc46d", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-04-05T16:33:32.388Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 496, - "thread": { - "id": 4184 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x76fea87" - }, - "channel": "Security", - "event_data": { - "ClientName": "EQP01777", - "ClientAddress": "10.100.150.9", - "AccountDomain": "TEST", - "LogonID": "0x76fea87", - "SessionName": "RDP-Tcp#127", - "AccountName": "at_adm" - }, - "opcode": "Info", - "record_id": "5101675", - "event_id": "4778", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-04-05T16:33:32.388Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ], - "ip": [ - "10.100.150.9" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "source": { - "ip": "10.100.150.9", - "domain": "EQP01777" - }, "event": { - "ingested": "2022-01-12T04:30:37.379373584Z", - "code": "4778", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "session-reconnected", "category": [ "authentication", "session" ], + "code": "4778", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4778.xml" + }, + "level": "information" + }, + "related": { + "ip": [ + "10.100.150.9" ], - "outcome": "success" + "user": [ + "at_adm" + ] + }, + "source": { + "domain": "EQP01777", + "ip": "10.100.150.9" }, "user": { - "name": "at_adm", - "domain": "TEST" + "domain": "TEST", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccountDomain": "TEST", + "AccountName": "at_adm", + "ClientAddress": "10.100.150.9", + "ClientName": "EQP01777", + "LogonID": "0x76fea87", + "SessionName": "RDP-Tcp#127" + }, + "event_id": "4778", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x76fea87" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 4184 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5101675", + "time_created": "2020-04-05T16:33:32.388Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json index 33b9672a1d4..bc3cf06301b 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012-4779.json-expected.json @@ -1,88 +1,87 @@ { "expected": [ { + "@timestamp": "2020-04-03T10:18:01.882Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "d9d93a3d-3242-4f55-a4de-4ded8ae26301", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2020-04-03T10:18:01.882Z", - "winlog": { - "computer_name": "DC_TEST2k12.TEST.SAAS", - "process": { - "pid": 496, - "thread": { - "id": 3852 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x60d1ccb" - }, - "channel": "Security", - "event_data": { - "ClientName": "EQP01777", - "ClientAddress": "10.100.150.17", - "AccountDomain": "TEST", - "LogonID": "0x60d1ccb", - "SessionName": "RDP-Tcp#116", - "AccountName": "at_adm" - }, - "opcode": "Info", - "record_id": "5069070", - "event_id": "4779", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2020-04-03T10:18:01.882Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "at_adm" - ], - "ip": [ - "10.100.150.17" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.xml" - } - }, - "host": { - "name": "DC_TEST2k12.TEST.SAAS" - }, - "source": { - "ip": "10.100.150.17", - "domain": "EQP01777" - }, "event": { - "ingested": "2022-01-12T04:30:37.755497775Z", - "code": "4779", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "session-disconnected", "category": [ "authentication", "session" ], + "code": "4779", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "end" + ] + }, + "host": { + "name": "DC_TEST2k12.TEST.SAAS" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012_4779.xml" + }, + "level": "information" + }, + "related": { + "ip": [ + "10.100.150.17" ], - "outcome": "success" + "user": [ + "at_adm" + ] + }, + "source": { + "domain": "EQP01777", + "ip": "10.100.150.17" }, "user": { - "name": "at_adm", - "domain": "TEST" + "domain": "TEST", + "name": "at_adm" + }, + "winlog": { + "channel": "Security", + "computer_name": "DC_TEST2k12.TEST.SAAS", + "event_data": { + "AccountDomain": "TEST", + "AccountName": "at_adm", + "ClientAddress": "10.100.150.17", + "ClientName": "EQP01777", + "LogonID": "0x60d1ccb", + "SessionName": "RDP-Tcp#116" + }, + "event_id": "4779", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x60d1ccb" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 496, + "thread": { + "id": 3852 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "5069070", + "time_created": "2020-04-03T10:18:01.882Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json index 728307ea2fd..2dc52b95fb5 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2012r2-logon.json-expected.json @@ -1,1786 +1,1768 @@ { "expected": [ { + "@timestamp": "2019-03-29T21:10:39.786Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "logged-in", + "category": [ + "authentication" + ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 508, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-29T21:10:39.786Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 536 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Service", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "SYSTEM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-18" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1535", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 536 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:39.786Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1535", + "time_created": "2019-03-29T21:10:39.786Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.255Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T04:30:38.005283584Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 508, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-29T21:10:40.255Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Service", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "SYSTEM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-18" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1538", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:40.255Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1538", + "time_created": "2019-03-29T21:10:40.255Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.380Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T04:30:38.005285890Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", "name": "winlogon.exe", - "pid": 448, - "executable": "C:\\Windows\\System32\\winlogon.exe" + "pid": 448 }, - "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "keywords": [ - "Audit Success" + "related": { + "ip": [ + "127.0.0.1" ], - "level": "information", - "logon": { - "type": "Interactive", - "id": "0x3e7" - }, + "user": [ + "vagrant", + "VAGRANT-2012-R2$" + ] + }, + "source": { + "domain": "VAGRANT-2012-R2", + "ip": "127.0.0.1", + "port": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "KeyLength": "0", + "LmPackageName": "-", "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "User32 ", "LogonType": "2", + "SubjectDomainName": "WORKGROUP", "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", - "KeyLength": "0", - "LmPackageName": "-", - "TargetLogonId": "0x1008e", "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "vagrant", - "LogonProcessName": "User32 ", - "TargetDomainName": "VAGRANT-2012-R2", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001" + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x1008e", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1542", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Interactive" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:40.380Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "source": { - "port": 0, - "ip": "127.0.0.1", - "domain": "VAGRANT-2012-R2" + "record_id": "1542", + "time_created": "2019-03-29T21:10:40.380Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.505Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, - "@timestamp": "2019-03-29T21:10:40.380Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant", - "VAGRANT-2012-R2$" - ], - "ip": [ - "127.0.0.1" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T04:30:38.005286821Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 508, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-29T21:10:40.505Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Service", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "SYSTEM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-18" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1545", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:40.505Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1545", + "time_created": "2019-03-29T21:10:40.505Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:40.630Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T04:30:38.005287795Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "-", "name": "-", - "pid": 0, - "executable": "-" + "pid": 0 + }, + "related": { + "user": [ + "ANONYMOUS LOGON" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-7", + "name": "ANONYMOUS LOGON" }, - "@timestamp": "2019-03-29T21:10:40.630Z", "winlog": { + "channel": "Security", "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Network", - "id": "0x0" - }, - "channel": "Security", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "3", + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x0", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "NTLM V1", - "TargetLogonId": "0x129f1", - "SubjectUserName": "-", - "IpAddress": "-", - "SubjectDomainName": "-", - "ImpersonationLevel": "%%1833", - "TargetUserName": "ANONYMOUS LOGON", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "NtLmSsp ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", - "AuthenticationPackageName": "NTLM", - "TargetUserSid": "S-1-5-7" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x129f1", + "TargetUserName": "ANONYMOUS LOGON", + "TargetUserSid": "S-1-5-7", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1547", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:40.630Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1547", + "time_created": "2019-03-29T21:10:40.630Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:53.661Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "ANONYMOUS LOGON" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T04:30:38.005288600Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "ANONYMOUS LOGON", - "domain": "NT AUTHORITY", - "id": "S-1-5-7" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "-", "name": "-", - "pid": 0, - "executable": "-" + "pid": 0 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" }, - "@timestamp": "2019-03-29T21:10:53.661Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Network", - "id": "0x0" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "3", + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x0", - "TransmittedServices": "-", "KeyLength": "128", "LmPackageName": "NTLM V2", - "TargetLogonId": "0x28d31", - "SubjectUserName": "-", - "IpAddress": "-", - "SubjectDomainName": "-", - "ImpersonationLevel": "%%1833", - "TargetUserName": "vagrant", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "NtLmSsp ", - "TargetDomainName": "VAGRANT-2012-R2", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", - "AuthenticationPackageName": "NTLM", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001" + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x28d31", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1550", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:53.661Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1550", + "time_created": "2019-03-29T21:10:53.661Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:54.661Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T04:30:38.005289472Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "-", "name": "-", - "pid": 0, - "executable": "-" + "pid": 0 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" }, - "@timestamp": "2019-03-29T21:10:54.661Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 548 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Network", - "id": "0x0" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "3", + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x0", - "TransmittedServices": "-", "KeyLength": "128", "LmPackageName": "NTLM V2", - "TargetLogonId": "0x29f0f", - "SubjectUserName": "-", - "IpAddress": "-", - "SubjectDomainName": "-", - "ImpersonationLevel": "%%1833", - "TargetUserName": "vagrant", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "NtLmSsp ", - "TargetDomainName": "VAGRANT-2012-R2", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", - "AuthenticationPackageName": "NTLM", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001" + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x29f0f", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1553", "event_id": "4624", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:54.661Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "vagrant" - ] - }, - "log": { + "keywords": [ + "Audit Success" + ], "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "1553", + "time_created": "2019-03-29T21:10:54.661Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:10:55.458Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, - "host": { - "name": "vagrant-2012-r2" + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-12T04:30:38.005290267Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "-", "name": "-", - "pid": 0, - "executable": "-" + "pid": 0 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" }, - "@timestamp": "2019-03-29T21:10:55.458Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 548 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Network", - "id": "0x0" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "3", + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x0", - "TransmittedServices": "-", "KeyLength": "128", "LmPackageName": "NTLM V2", - "TargetLogonId": "0x2a362", - "SubjectUserName": "-", - "IpAddress": "-", - "SubjectDomainName": "-", - "ImpersonationLevel": "%%1833", - "TargetUserName": "vagrant", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "NtLmSsp ", - "TargetDomainName": "VAGRANT-2012-R2", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", - "AuthenticationPackageName": "NTLM", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001" + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x2a362", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1556", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:10:55.458Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1556", + "time_created": "2019-03-29T21:10:55.458Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:17.302Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T04:30:38.005291020Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "-", "name": "-", - "pid": 0, - "executable": "-" + "pid": 0 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "source": { + "domain": "127.0.0.1" + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" }, "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 808 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Network", - "id": "0x0" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "3", + "AuthenticationPackageName": "NTLM", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x0", - "TransmittedServices": "-", "KeyLength": "128", "LmPackageName": "NTLM V2", - "TargetLogonId": "0x324f8", - "SubjectUserName": "-", - "IpAddress": "-", - "SubjectDomainName": "-", - "ImpersonationLevel": "%%1833", - "TargetUserName": "vagrant", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "NtLmSsp ", - "TargetDomainName": "VAGRANT-2012-R2", + "LogonType": "3", + "SubjectDomainName": "-", + "SubjectLogonId": "0x0", + "SubjectUserName": "-", "SubjectUserSid": "S-1-0-0", - "AuthenticationPackageName": "NTLM", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001" + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x324f8", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1561", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x0", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 808 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:13:17.302Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "source": { - "domain": "127.0.0.1" + "record_id": "1561", + "time_created": "2019-03-29T21:13:17.302Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:17.521Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, - "@timestamp": "2019-03-29T21:13:17.302Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T04:30:38.005291930Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" + }, + "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", + "name": "winlogon.exe", + "pid": 2812 + }, + "related": { + "user": [ + "DWM-2", + "VAGRANT-2012-R2$" + ] }, - "process": { - "name": "winlogon.exe", - "pid": 2812, - "executable": "C:\\Windows\\System32\\winlogon.exe" + "user": { + "domain": "Window Manager", + "id": "S-1-5-90-2", + "name": "DWM-2" }, - "@timestamp": "2019-03-29T21:13:17.521Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 548 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Interactive", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "2", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x33444", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "DWM-2", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "Window Manager", + "LogonType": "2", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-90-2" + "TargetDomainName": "Window Manager", + "TargetLogonId": "0x33444", + "TargetUserName": "DWM-2", + "TargetUserSid": "S-1-5-90-2", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1563", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Interactive" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 548 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:13:17.521Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1563", + "time_created": "2019-03-29T21:13:17.521Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:17.614Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "DWM-2", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T04:30:38.005292685Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "DWM-2", - "domain": "Window Manager", - "id": "S-1-5-90-2" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", "name": "winlogon.exe", - "pid": 2812, - "executable": "C:\\Windows\\System32\\winlogon.exe" + "pid": 2812 }, - "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 808 - } - }, - "keywords": [ - "Audit Success" + "related": { + "ip": [ + "10.0.2.2" ], - "level": "information", - "logon": { - "type": "RemoteInteractive", - "id": "0x3e7" - }, + "user": [ + "vagrant", + "VAGRANT-2012-R2$" + ] + }, + "source": { + "domain": "VAGRANT-2012-R2", + "ip": "10.0.2.2", + "port": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "name": "vagrant" + }, + "winlog": { "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "KeyLength": "0", + "LmPackageName": "-", "LogonGuid": "{00000000-0000-0000-0000-000000000000}", + "LogonProcessName": "User32 ", "LogonType": "10", + "SubjectDomainName": "WORKGROUP", "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", - "KeyLength": "0", - "LmPackageName": "-", - "TargetLogonId": "0x3444f", "SubjectUserName": "VAGRANT-2012-R2$", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "vagrant", - "LogonProcessName": "User32 ", - "TargetDomainName": "VAGRANT-2012-R2", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001" + "TargetDomainName": "VAGRANT-2012-R2", + "TargetLogonId": "0x3444f", + "TargetUserName": "vagrant", + "TargetUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1567", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "RemoteInteractive" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 808 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:13:17.614Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "source": { - "port": 0, - "ip": "10.0.2.2", - "domain": "VAGRANT-2012-R2" + "record_id": "1567", + "time_created": "2019-03-29T21:13:17.614Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:13:18.786Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, - "@timestamp": "2019-03-29T21:13:17.614Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant", - "VAGRANT-2012-R2$" - ], - "ip": [ - "10.0.2.2" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T04:30:38.005293439Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT-2012-R2", - "id": "S-1-5-21-3541430928-2051711210-1391384369-1001" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\winlogon.exe", "name": "winlogon.exe", - "pid": 2188, - "executable": "C:\\Windows\\System32\\winlogon.exe" + "pid": 2188 + }, + "related": { + "user": [ + "DWM-3", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "Window Manager", + "id": "S-1-5-90-3", + "name": "DWM-3" }, - "@timestamp": "2019-03-29T21:13:18.786Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 556 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Interactive", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "2", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x357fd", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "DWM-3", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "Window Manager", + "LogonType": "2", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-90-3" + "TargetDomainName": "Window Manager", + "TargetLogonId": "0x357fd", + "TargetUserName": "DWM-3", + "TargetUserSid": "S-1-5-90-3", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1570", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Interactive" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 556 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:13:18.786Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1570", + "time_created": "2019-03-29T21:13:18.786Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:20:48.740Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "DWM-3", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T04:30:38.005294282Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "DWM-3", - "domain": "Window Manager", - "id": "S-1-5-90-3" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 508, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-29T21:20:48.740Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 1132 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Service", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "SYSTEM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-18" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1574", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:20:48.740Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1574", + "time_created": "2019-03-29T21:20:48.740Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:20:48.740Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T04:30:38.005295066Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 508, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-29T21:20:48.740Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 1132 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Service", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "SYSTEM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-18" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" + }, + "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" }, "opcode": "Info", - "version": 1, - "record_id": "1576", - "event_id": "4624", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:20:48.740Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1576", + "time_created": "2019-03-29T21:20:48.740Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:20:50.584Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T04:30:38.005295820Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 508, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-29T21:20:50.584Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 504 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Service", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "SYSTEM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-18" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1578", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 504 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:20:50.584Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1578", + "time_created": "2019-03-29T21:20:50.584Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:23:42.520Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T04:30:38.005296643Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 508, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-29T21:23:42.520Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 1132 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Service", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "SYSTEM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-18" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1581", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 1132 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:23:42.520Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } + "record_id": "1581", + "time_created": "2019-03-29T21:23:42.520Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:26:24.176Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, - "host": { - "name": "vagrant-2012-r2" + "ecs": { + "version": "8.0.0" }, "event": { - "ingested": "2022-01-12T04:30:38.005297394Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-in", "category": [ "authentication" ], + "code": "4624", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\services.exe", "name": "services.exe", - "pid": 508, - "executable": "C:\\Windows\\System32\\services.exe" + "pid": 508 + }, + "related": { + "user": [ + "SYSTEM", + "VAGRANT-2012-R2$" + ] + }, + "user": { + "domain": "NT AUTHORITY", + "id": "S-1-5-18", + "name": "SYSTEM" }, - "@timestamp": "2019-03-29T21:26:24.176Z", "winlog": { - "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 344 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Service", - "id": "0x3e7" - }, "channel": "Security", + "computer_name": "vagrant-2012-r2", "event_data": { - "LogonGuid": "{00000000-0000-0000-0000-000000000000}", - "LogonType": "5", + "AuthenticationPackageName": "Negotiate", + "ImpersonationLevel": "%%1833", + "IpAddress": "-", "IpPort": "-", - "SubjectLogonId": "0x3e7", - "TransmittedServices": "-", "KeyLength": "0", "LmPackageName": "-", - "TargetLogonId": "0x3e7", - "SubjectUserName": "VAGRANT-2012-R2$", - "IpAddress": "-", - "SubjectDomainName": "WORKGROUP", - "ImpersonationLevel": "%%1833", - "TargetUserName": "SYSTEM", + "LogonGuid": "{00000000-0000-0000-0000-000000000000}", "LogonProcessName": "Advapi ", - "TargetDomainName": "NT AUTHORITY", + "LogonType": "5", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "VAGRANT-2012-R2$", "SubjectUserSid": "S-1-5-18", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-5-18" + "TargetDomainName": "NT AUTHORITY", + "TargetLogonId": "0x3e7", + "TargetUserName": "SYSTEM", + "TargetUserSid": "S-1-5-18", + "TransmittedServices": "-" }, - "opcode": "Info", - "version": 1, - "record_id": "1583", "event_id": "4624", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7", + "type": "Service" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 516, + "thread": { + "id": 344 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:26:24.176Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "1583", + "time_created": "2019-03-29T21:26:24.176Z", + "version": 1 + } + }, + { + "@timestamp": "2019-03-29T21:45:35.177Z", + "agent": { + "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "SYSTEM", - "VAGRANT-2012-R2$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "host": { - "name": "vagrant-2012-r2" - }, "event": { - "ingested": "2022-01-12T04:30:38.005298213Z", - "code": "4624", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "logged-in", + "action": "logon-failed", "category": [ "authentication" ], + "code": "4625", + "kind": "event", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "start" - ], - "outcome": "success" + ] }, - "user": { - "name": "SYSTEM", - "domain": "NT AUTHORITY", - "id": "S-1-5-18" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "53889096-967d-4626-8c5c-9ec81f6bbc50", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant-2012-r2" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\svchost.exe", "name": "svchost.exe", - "pid": 836, - "executable": "C:\\Windows\\System32\\svchost.exe" + "pid": 836 + }, + "related": { + "ip": [ + "::1" + ], + "user": [ + "bosch" + ] + }, + "source": { + "domain": "VAGRANT-2012-R2", + "ip": "::1", + "port": 0 + }, + "user": { + "domain": "VAGRANT-2012-R2", + "id": "S-1-0-0", + "name": "bosch" }, "winlog": { + "channel": "Security", "computer_name": "vagrant-2012-r2", - "process": { - "pid": 516, - "thread": { - "id": 2756 - } + "event_data": { + "AuthenticationPackageName": "Negotiate", + "FailureReason": "%%2313", + "KeyLength": "0", + "LmPackageName": "-", + "LogonProcessName": "seclogo", + "LogonType": "2", + "Status": "0xc000006d", + "SubStatus": "0xc0000064", + "SubjectDomainName": "VAGRANT-2012-R2", + "SubjectLogonId": "0x1008e", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", + "TargetDomainName": "VAGRANT-2012-R2", + "TargetUserName": "bosch", + "TargetUserSid": "S-1-0-0", + "TransmittedServices": "-" }, + "event_id": "4625", "keywords": [ "Audit Failure" ], "level": "information", "logon": { - "type": "Interactive", "failure": { - "sub_status": "User logon with misspelled or bad user account", "reason": "Unknown user name or bad password.", - "status": "This is either due to a bad username or authentication information" + "status": "This is either due to a bad username or authentication information", + "sub_status": "User logon with misspelled or bad user account" }, - "id": "0x1008e" - }, - "channel": "Security", - "event_data": { - "Status": "0xc000006d", - "LogonType": "2", - "SubjectLogonId": "0x1008e", - "TransmittedServices": "-", - "KeyLength": "0", - "LmPackageName": "-", - "SubjectUserName": "vagrant", - "FailureReason": "%%2313", - "SubjectDomainName": "VAGRANT-2012-R2", - "TargetUserName": "bosch", - "SubStatus": "0xc0000064", - "LogonProcessName": "seclogo", - "TargetDomainName": "VAGRANT-2012-R2", - "SubjectUserSid": "S-1-5-21-3541430928-2051711210-1391384369-1001", - "AuthenticationPackageName": "Negotiate", - "TargetUserSid": "S-1-0-0" + "id": "0x1008e", + "type": "Interactive" }, "opcode": "Info", - "record_id": "1585", - "event_id": "4625", + "outcome": "failure", + "process": { + "pid": 516, + "thread": { + "id": 2756 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-03-29T21:45:35.177Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "failure" - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2012r2-logon.xml" - } - }, - "source": { - "port": 0, - "ip": "::1", - "domain": "VAGRANT-2012-R2" - }, - "@timestamp": "2019-03-29T21:45:35.177Z", - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "bosch" - ], - "ip": [ - "::1" - ] - }, - "host": { - "name": "vagrant-2012-r2" - }, - "event": { - "ingested": "2022-01-12T04:30:38.005298971Z", - "code": "4625", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "logon-failed", - "category": [ - "authentication" - ], - "type": [ - "start" - ], - "outcome": "failure" - }, - "user": { - "name": "bosch", - "domain": "VAGRANT-2012-R2", - "id": "S-1-0-0" + "record_id": "1585", + "time_created": "2019-03-29T21:45:35.177Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json index b5dda2d9112..4119c3b223e 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-expected.json @@ -1,109 +1,70 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:28:46.163Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "bf2b0592-35a2-427c-bece-18d57f7881b9", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:28:46.163Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 820 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x264b2" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "audittest", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "2815", - "event_id": "4722", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:28:46.163Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:30:47.879233290Z", - "code": "4722", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "enabled-user-account", "category": [ "iam" ], + "code": "4722", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "audittest", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1000" + "id": "S-1-5-21-101361758-2486510592-3018839910-1000", + "name": "audittest" } - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "bf2b0592-35a2-427c-bece-18d57f7881b9", - "type": "filebeat", - "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:29:08.573Z", "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 532 - } + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "TargetUserName": "audittest" }, + "event_id": "4722", "keywords": [ "Audit Success" ], @@ -111,67 +72,104 @@ "logon": { "id": "0x264b2" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "audittest0609", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, "opcode": "Info", - "record_id": "2826", - "event_id": "4722", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:29:08.573Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "2815", + "time_created": "2019-09-06T13:28:46.163Z" + } + }, + { + "@timestamp": "2019-09-06T13:29:08.573Z", + "agent": { + "ephemeral_id": "bf2b0592-35a2-427c-bece-18d57f7881b9", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest0609" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:30:47.879235771Z", - "code": "4722", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "enabled-user-account", "category": [ "iam" ], + "code": "4722", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4722_Account_Enabled.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest0609" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "audittest0609", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1006" + "id": "S-1-5-21-101361758-2486510592-3018839910-1006", + "name": "audittest0609" } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609" + }, + "event_id": "4722", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2826", + "time_created": "2019-09-06T13:29:08.573Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json index 4262a896e2b..44e7b1b5f62 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-expected.json @@ -1,177 +1,175 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:32:13.855Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "183bfef0-27fc-4fc0-b569-2d42d6e33862", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:32:13.855Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 820 - } - }, - "keywords": [ - "Audit Failure" - ], - "level": "information", - "logon": { - "id": "0x264b2" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "Administrator", - "TargetDomainName": "WIN-41OB2LO92CR", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "2838", - "event_id": "4723", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:32:13.855Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "failure" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:30:49.371006390Z", - "code": "4723", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "changed-password", "category": [ "iam" ], + "code": "4723", + "kind": "event", + "outcome": "failure", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "failure" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "Administrator", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" } - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "183bfef0-27fc-4fc0-b569-2d42d6e33862", - "type": "filebeat", - "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:32:23.885Z", "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 532 - } + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetUserName": "Administrator" }, + "event_id": "4723", "keywords": [ - "Audit Success" + "Audit Failure" ], "level": "information", "logon": { "id": "0x264b2" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "Administrator", - "TargetDomainName": "WIN-41OB2LO92CR", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, "opcode": "Info", - "record_id": "2839", - "event_id": "4723", + "outcome": "failure", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:32:23.885Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "2838", + "time_created": "2019-09-06T13:32:13.855Z" + } + }, + { + "@timestamp": "2019-09-06T13:32:23.885Z", + "agent": { + "ephemeral_id": "183bfef0-27fc-4fc0-b569-2d42d6e33862", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:30:49.371009385Z", - "code": "4723", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "changed-password", "category": [ "iam" ], + "code": "4723", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4723_Password_Change.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "Administrator", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetUserName": "Administrator" + }, + "event_id": "4723", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2839", + "time_created": "2019-09-06T13:32:23.885Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json index 39c8300dcc9..6c15e791de1 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-expected.json @@ -1,109 +1,70 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:24:39.339Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "bada69aa-9ce0-403f-9c89-ab8217732fb4", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:24:39.339Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 816 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x264b2" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "elastictest1", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "2762", - "event_id": "4724", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:24:39.339Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "elastictest1" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:30:50.507044191Z", - "code": "4724", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "reset-password", "category": [ "iam" ], + "code": "4724", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "elastictest1" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "elastictest1", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1005" + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" } - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "bada69aa-9ce0-403f-9c89-ab8217732fb4", - "type": "filebeat", - "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:25:21.900Z", "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 820 - } + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" }, + "event_id": "4724", "keywords": [ "Audit Success" ], @@ -111,67 +72,104 @@ "logon": { "id": "0x264b2" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "audittest0609", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, "opcode": "Info", - "record_id": "2787", - "event_id": "4724", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 816 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:25:21.900Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "2762", + "time_created": "2019-09-06T13:24:39.339Z" + } + }, + { + "@timestamp": "2019-09-06T13:25:21.900Z", + "agent": { + "ephemeral_id": "bada69aa-9ce0-403f-9c89-ab8217732fb4", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest0609" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:30:50.507046904Z", - "code": "4724", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "reset-password", "category": [ "iam" ], + "code": "4724", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4724_Password_Reset.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest0609" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "audittest0609", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1006" + "id": "S-1-5-21-101361758-2486510592-3018839910-1006", + "name": "audittest0609" } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609" + }, + "event_id": "4724", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2787", + "time_created": "2019-09-06T13:25:21.900Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json index 3deadaffa12..093f0e6a9cd 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-expected.json @@ -1,109 +1,70 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:28:40.001Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "1bccb9d3-7ebc-4789-bfc0-9b920f756ba5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:28:40.001Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 532 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x264b2" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "audittest", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "2810", - "event_id": "4725", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:28:40.001Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:30:51.706736922Z", - "code": "4725", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "disabled-user-account", "category": [ "iam" ], + "code": "4725", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "deletion" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "audittest", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1000" + "id": "S-1-5-21-101361758-2486510592-3018839910-1000", + "name": "audittest" } - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "1bccb9d3-7ebc-4789-bfc0-9b920f756ba5", - "type": "filebeat", - "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:28:55.264Z", "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 532 - } + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "TargetUserName": "audittest" }, + "event_id": "4725", "keywords": [ "Audit Success" ], @@ -111,67 +72,104 @@ "logon": { "id": "0x264b2" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "audittest0609", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, "opcode": "Info", - "record_id": "2820", - "event_id": "4725", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:28:55.264Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "2810", + "time_created": "2019-09-06T13:28:40.001Z" + } + }, + { + "@timestamp": "2019-09-06T13:28:55.264Z", + "agent": { + "ephemeral_id": "1bccb9d3-7ebc-4789-bfc0-9b920f756ba5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest0609" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:30:51.706739779Z", - "code": "4725", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "disabled-user-account", "category": [ "iam" ], + "code": "4725", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "deletion" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4725_Account_Disabled.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest0609" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "audittest0609", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1006" + "id": "S-1-5-21-101361758-2486510592-3018839910-1006", + "name": "audittest0609" } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", + "TargetUserName": "audittest0609" + }, + "event_id": "4725", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2820", + "time_created": "2019-09-06T13:28:55.264Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json index b95267569c5..95340ef6256 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-expected.json @@ -1,110 +1,71 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:35:25.515Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "0576ed73-5ee1-437f-bd1a-cf8dae0a9e24", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:35:25.515Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 1980 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x264b2" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1001", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "audittest23", - "TargetDomainName": "WIN-41OB2LO92CR", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "2851", - "event_id": "4726", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:35:25.515Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest23" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:30:52.338468919Z", - "code": "4726", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-user-account", "category": [ "iam" ], + "code": "4726", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "deletion" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest23" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "audittest23", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1001" + "id": "S-1-5-21-101361758-2486510592-3018839910-1001", + "name": "audittest23" } - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "0576ed73-5ee1-437f-bd1a-cf8dae0a9e24", - "type": "filebeat", - "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:35:29.690Z", "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 820 - } + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1001", + "TargetUserName": "audittest23" }, + "event_id": "4726", "keywords": [ "Audit Success" ], @@ -112,68 +73,105 @@ "logon": { "id": "0x264b2" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "audittest", - "TargetDomainName": "WIN-41OB2LO92CR", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, "opcode": "Info", - "record_id": "2857", - "event_id": "4726", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 1980 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:35:29.690Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "2851", + "time_created": "2019-09-06T13:35:25.515Z" + } + }, + { + "@timestamp": "2019-09-06T13:35:29.690Z", + "agent": { + "ephemeral_id": "0576ed73-5ee1-437f-bd1a-cf8dae0a9e24", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:30:52.338471179Z", - "code": "4726", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-user-account", "category": [ "iam" ], + "code": "4726", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "deletion" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4726_Account_Deleted.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "audittest", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1000" + "id": "S-1-5-21-101361758-2486510592-3018839910-1000", + "name": "audittest" } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1000", + "TargetUserName": "audittest" + }, + "event_id": "4726", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2857", + "time_created": "2019-09-06T13:35:29.690Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json index aad87ace125..2f4c95483b3 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4727.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:26:12.495Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "a6c7bf33-4c58-473a-b21e-ff14cfa0876c", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:26:12.495Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x27438" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "DnsUpdateProxy", - "SubjectUserName": "WIN-41OB2LO92CR$", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1110", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x27438", - "TargetUserName": "DnsUpdateProxy", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-18" - }, - "opcode": "Info", - "record_id": "4105", - "event_id": "4727", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:26:12.495Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-41OB2LO92CR$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:30:53.398087716Z", - "code": "4727", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-group-account", "category": [ "iam" ], + "code": "4727", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "creation" - ], - "outcome": "success" + ] }, - "user": { - "name": "WIN-41OB2LO92CR$", + "group": { "domain": "WLBEAT", - "id": "S-1-5-18" + "id": "S-1-5-21-101361758-2486510592-3018839910-1110", + "name": "DnsUpdateProxy" }, - "group": { - "name": "DnsUpdateProxy", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4727.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-41OB2LO92CR$" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1110" + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "DnsUpdateProxy", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x27438", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1110", + "TargetUserName": "DnsUpdateProxy" + }, + "event_id": "4727", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x27438" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4105", + "time_created": "2019-10-22T11:26:12.495Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json index 2dfafc9c071..5dd8b6c923d 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4728.json-expected.json @@ -1,100 +1,99 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:33:26.861Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "20391a81-820a-4b74-9022-d7e336c7a6a5", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:33:26.861Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "SubjectDomainName": "WLBEAT", - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4657", - "event_id": "4728", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:33:26.861Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:30:53.966855814Z", - "code": "4728", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-member-to-group", "category": [ "iam" ], + "code": "4728", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4728.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "Administrator", "domain": "local", "group": { - "name": "test_group2", "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112" - } + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2" + }, + "name": "Administrator" } }, - "group": { - "name": "test_group2", - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112" + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2" + }, + "event_id": "4728", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4657", + "time_created": "2019-10-22T11:33:26.861Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json index e4320ade8c1..776df6ccd0f 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4729.json-expected.json @@ -1,100 +1,99 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:33:45.543Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "7634b57b-f6ad-4530-9332-efe87a928e1e", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:33:45.543Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "SubjectDomainName": "WLBEAT", - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group2v2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4665", - "event_id": "4729", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:33:45.543Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:30:54.577055260Z", - "code": "4729", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "removed-member-from-group", "category": [ "iam" ], + "code": "4729", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4729.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "Administrator", "domain": "local", "group": { - "name": "test_group2v2", "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112" - } + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" + }, + "name": "Administrator" } }, - "group": { - "name": "test_group2v2", - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112" + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2v2" + }, + "event_id": "4729", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4665", + "time_created": "2019-10-22T11:33:45.543Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json index 2a9bf441220..108a37ed192 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4730.json-expected.json @@ -1,89 +1,88 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:34:01.610Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "b88ce36d-4f81-470b-8142-61f8152521db", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:34:01.610Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group2v2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4670", - "event_id": "4730", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:34:01.610Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:30:55.228290286Z", - "code": "4730", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-group-account", "category": [ "iam" ], + "code": "4730", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "deletion" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" }, - "group": { - "name": "test_group2v2", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4730.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2v2" + }, + "event_id": "4730", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4670", + "time_created": "2019-10-22T11:34:01.610Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json index d1747d50c16..25ee03f04de 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4731.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:29:49.358Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "e2d64d83-2a92-4e42-be65-f582b54806c0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:29:49.358Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "test_group1", - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group1", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4569", - "event_id": "4731", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:29:49.358Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:30:55.683717424Z", - "code": "4731", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-group-account", "category": [ "iam" ], + "code": "4731", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "creation" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" }, - "group": { - "name": "test_group1", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4731.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "test_group1", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1" + }, + "event_id": "4731", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4569", + "time_created": "2019-10-22T11:29:49.358Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json index 8cb3b5e92fc..98874d39af0 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4732.json-expected.json @@ -1,100 +1,99 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:31:58.039Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "55e8e30a-98a5-48de-86a3-772d01e6cb34", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:31:58.039Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "SubjectDomainName": "WLBEAT", - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group1", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4625", - "event_id": "4732", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:31:58.039Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:30:55.981051705Z", - "code": "4732", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-member-to-group", "category": [ "iam" ], + "code": "4732", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4732.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "Administrator", "domain": "local", "group": { - "name": "test_group1", "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111" - } + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "name": "Administrator" } }, - "group": { - "name": "test_group1", - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111" + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1" + }, + "event_id": "4732", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4625", + "time_created": "2019-10-22T11:31:58.039Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json index 7006c3308e8..68b986619a2 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4733.json-expected.json @@ -1,100 +1,99 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:32:14.894Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "f4bfea9b-4505-4540-a5d6-ff3d901ddab0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:32:14.894Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "SubjectDomainName": "WLBEAT", - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group1", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4627", - "event_id": "4733", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:32:14.894Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:30:56.951971291Z", - "code": "4733", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "removed-member-from-group", "category": [ "iam" ], + "code": "4733", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4733.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "Administrator", "domain": "local", "group": { - "name": "test_group1", "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111" - } + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1" + }, + "name": "Administrator" } }, - "group": { - "name": "test_group1", - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111" + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1" + }, + "event_id": "4733", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4627", + "time_created": "2019-10-22T11:32:14.894Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json index 753af476617..f4b6a57e4c3 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4734.json-expected.json @@ -1,89 +1,88 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:32:35.127Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "932fe4f8-6220-47bc-8713-250d259a8d06", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:32:35.127Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group1v1", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4630", - "event_id": "4734", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:32:35.127Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:30:57.664950429Z", - "code": "4734", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-group-account", "category": [ "iam" ], + "code": "4734", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "deletion" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1v1" }, - "group": { - "name": "test_group1v1", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4734.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1v1" + }, + "event_id": "4734", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4630", + "time_created": "2019-10-22T11:32:35.127Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json index 86b1ec6e892..d0bb16cb44f 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4735.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:32:30.425Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "302d5f9e-c923-4bd9-8747-1fe456a97546", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:32:30.425Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "test_group1v1", - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group1v1", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4628", - "event_id": "4735", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:32:30.425Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:30:57.938259001Z", - "code": "4735", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "modified-group-account", "category": [ "iam" ], + "code": "4735", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1111", + "name": "test_group1v1" }, - "group": { - "name": "test_group1v1", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4735.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1111" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "test_group1v1", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1111", + "TargetUserName": "test_group1v1" + }, + "event_id": "4735", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4628", + "time_created": "2019-10-22T11:32:30.425Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json index dd2d4a68694..8ed0e2acbc0 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4737.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:33:57.271Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "751eaf5d-fe35-4c8f-9712-3ad2a1fbccc4", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:33:57.271Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "-", - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group2v2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4668", - "event_id": "4737", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:33:57.271Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:30:58.399184390Z", - "code": "4737", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "modified-group-account", "category": [ "iam" ], + "code": "4737", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" }, - "group": { - "name": "test_group2v2", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4737.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "-", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2v2" + }, + "event_id": "4737", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4668", + "time_created": "2019-10-22T11:33:57.271Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json index 243490e6a37..1c753372b03 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-expected.json @@ -1,116 +1,115 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:36:17.566Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "8233890e-f67f-456f-833c-9695ee1564d6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:36:17.566Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 1980 - } - }, - "keywords": [ - "Audit Success" + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "modified-user-account", + "category": [ + "iam" ], - "level": "information", - "logon": { - "id": "0x264b2" + "code": "4738", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "user", + "change" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.xml" }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "elastictest1" + ] + }, + "user": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", + "target": { + "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" + } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", "event_data": { - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "AccountExpires": "%%1794", + "AllowedToDelegateTo": "-", + "DisplayName": "elastictest1", + "Dummy": "-", + "HomeDirectory": "%%1793", + "HomePath": "%%1793", + "LogonHours": "%%1797", "NewUACList": [ "LOCKOUT", "NORMAL_ACCOUNT" ], - "SidHistory": "-", - "LogonHours": "%%1797", - "ScriptPath": "%%1793", - "DisplayName": "elastictest1", - "HomePath": "%%1793", - "SubjectDomainName": "WIN-41OB2LO92CR", - "AllowedToDelegateTo": "-", - "TargetDomainName": "WIN-41OB2LO92CR", - "PrivilegeList": "-", - "UserWorkstations": "%%1793", - "SamAccountName": "elastictest1", - "HomeDirectory": "%%1793", - "OldUacValue": "0x210", - "UserParameters": "%%1793", "NewUacValue": "0x210", - "SubjectLogonId": "0x264b2", + "OldUacValue": "0x210", + "PasswordLastSet": "6/9/2019 10:30:28", "PrimaryGroupId": "513", - "AccountExpires": "%%1794", + "PrivilegeList": "-", "ProfilePath": "%%1793", + "SamAccountName": "elastictest1", + "ScriptPath": "%%1793", + "SidHistory": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1", "UserAccountControl": [ "-" ], - "PasswordLastSet": "6/9/2019 10:30:28", + "UserParameters": "%%1793", "UserPrincipalName": "-", - "TargetUserName": "elastictest1", - "Dummy": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + "UserWorkstations": "%%1793" }, - "opcode": "Info", - "record_id": "2862", "event_id": "4738", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 1980 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:36:17.566Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "Administrator", - "elastictest1" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4738_Account_Changed.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, - "event": { - "ingested": "2022-01-12T04:30:58.954770442Z", - "code": "4738", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "modified-user-account", - "category": [ - "iam" - ], - "type": [ - "user", - "change" - ], - "outcome": "success" - }, - "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", - "domain": "WIN-41OB2LO92CR", - "target": { - "name": "elastictest1", - "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1005" - } + "record_id": "2862", + "time_created": "2019-09-06T13:36:17.566Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json index 9ff2a7c0000..411f2073335 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-expected.json @@ -1,90 +1,89 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:39:43.085Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "8caa1f31-d548-434d-ac5b-f3725137fe68", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:39:43.085Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 532 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "WIN-41OB2LO92CR$", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "TargetUserName": "elastictest1", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-18" - }, - "opcode": "Info", - "record_id": "2883", - "event_id": "4740", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:39:43.085Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-41OB2LO92CR$", - "elastictest1" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:30:59.505797582Z", - "code": "4740", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "locked-out-user-account", "category": [ "iam" ], + "code": "4740", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4740_Account_Locked_Out.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-41OB2LO92CR$", + "elastictest1" + ] }, "user": { - "name": "WIN-41OB2LO92CR$", - "id": "S-1-5-18", "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$", "target": { - "name": "elastictest1", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1005" + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" + }, + "event_id": "4740", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 532 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2883", + "time_created": "2019-09-06T13:39:43.085Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json index b0daa82519b..4ef6c222c1e 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4754.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:34:33.783Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "fea32ff4-794a-4eb4-bd70-9683cab0491a", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:34:33.783Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "Test_group3", - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "Test_group3", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4676", - "event_id": "4754", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:34:33.783Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:31:00.145075737Z", - "code": "4754", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-group-account", "category": [ "iam" ], + "code": "4754", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "creation" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3" }, - "group": { - "name": "Test_group3", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4754.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "Test_group3", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3" + }, + "event_id": "4754", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4676", + "time_created": "2019-10-22T11:34:33.783Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json index 4fc438797df..21356aea0f4 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4755.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:35:09.070Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "bf0291c9-a8c8-4380-8767-3edd8e19e7e0", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:35:09.070Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SamAccountName": "-", - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "SidHistory": "-", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "Test_group3v2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4685", - "event_id": "4755", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:35:09.070Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:31:00.444817522Z", - "code": "4755", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "modified-group-account", "category": [ "iam" ], + "code": "4755", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" }, - "group": { - "name": "Test_group3v2", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4755.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SamAccountName": "-", + "SidHistory": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3v2" + }, + "event_id": "4755", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4685", + "time_created": "2019-10-22T11:35:09.070Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json index 3f576a64971..4bf17583bb6 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4756.json-expected.json @@ -1,100 +1,99 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:34:58.413Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "bb4b02fe-1669-4fc2-9334-59658aa314bd", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:34:58.413Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "SubjectDomainName": "WLBEAT", - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "SubjectLogonId": "0x4a727", - "TargetUserName": "Test_group3v2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4684", - "event_id": "4756", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:34:58.413Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:31:01.247020939Z", - "code": "4756", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "added-member-to-group", "category": [ "iam" ], + "code": "4756", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4756.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "Administrator", "domain": "local", "group": { - "name": "Test_group3v2", "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113" - } + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "name": "Administrator" } }, - "group": { - "name": "Test_group3v2", - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113" + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3v2" + }, + "event_id": "4756", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4684", + "time_created": "2019-10-22T11:34:58.413Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json index 559cf9f1ea7..6ecfc0c4348 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4757.json-expected.json @@ -1,100 +1,99 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:35:09.070Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "108404d6-5e5a-4fc8-af1c-882b4a9e776a", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:35:09.070Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "SubjectDomainName": "WLBEAT", - "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", - "SubjectLogonId": "0x4a727", - "TargetUserName": "Test_group3v2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4686", - "event_id": "4757", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:35:09.070Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:31:01.629437493Z", - "code": "4757", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "removed-member-from-group", "category": [ "iam" ], + "code": "4757", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4757.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WLBEAT", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "Administrator", "domain": "local", "group": { - "name": "Test_group3v2", "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113" - } + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" + }, + "name": "Administrator" } }, - "group": { - "name": "Test_group3v2", - "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113" + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "MemberName": "CN=Administrator,CN=Users,DC=wlbeat,DC=local", + "MemberSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3v2" + }, + "event_id": "4757", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4686", + "time_created": "2019-10-22T11:35:09.070Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json index c97f38638e7..54e7ff49ae5 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4758.json-expected.json @@ -1,89 +1,88 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:35:13.550Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "a8b7cf01-1874-48ac-9ba5-359576812e03", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:35:13.550Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "Test_group3v2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4687", - "event_id": "4758", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:35:13.550Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:31:02.644245040Z", - "code": "4758", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "deleted-group-account", "category": [ "iam" ], + "code": "4758", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "deletion" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1113", + "name": "Test_group3v2" }, - "group": { - "name": "Test_group3v2", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4758.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1113" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1113", + "TargetUserName": "Test_group3v2" + }, + "event_id": "4758", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4687", + "time_created": "2019-10-22T11:35:13.550Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json index b2f85c10479..b9536acbb68 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4764.json-expected.json @@ -1,90 +1,89 @@ { "expected": [ { + "@timestamp": "2019-10-22T11:33:57.271Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "5d24bfd7-c07c-4458-8a1d-8742d5cb6166", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-22T11:33:57.271Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "process": { - "pid": 772, - "thread": { - "id": 1664 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x4a727" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", - "GroupTypeChange": "Security Enabled Universal Group Changed to Security Enabled Global Group.", - "SubjectDomainName": "WLBEAT", - "SubjectLogonId": "0x4a727", - "TargetUserName": "test_group2v2", - "TargetDomainName": "WLBEAT", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "4669", - "event_id": "4764", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-10-22T11:33:57.271Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR.wlbeat.local" - }, "event": { - "ingested": "2022-01-12T04:31:02.909989807Z", - "code": "4764", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "type-changed-group-account", "category": [ "iam" ], + "code": "4764", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "change" - ], - "outcome": "success" + ] }, - "user": { - "name": "Administrator", + "group": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-1112", + "name": "test_group2v2" }, - "group": { - "name": "test_group2v2", + "host": { + "name": "WIN-41OB2LO92CR.wlbeat.local" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4764.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] + }, + "user": { "domain": "WLBEAT", - "id": "S-1-5-21-101361758-2486510592-3018839910-1112" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR.wlbeat.local", + "event_data": { + "GroupTypeChange": "Security Enabled Universal Group Changed to Security Enabled Global Group.", + "PrivilegeList": "-", + "SubjectDomainName": "WLBEAT", + "SubjectLogonId": "0x4a727", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WLBEAT", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1112", + "TargetUserName": "test_group2v2" + }, + "event_id": "4764", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x4a727" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 772, + "thread": { + "id": 1664 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "4669", + "time_created": "2019-10-22T11:33:57.271Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json index 3f96150db0e..bcb1f1f9807 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-expected.json @@ -1,90 +1,89 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:40:52.314Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "7ab867f5-fdb6-44f7-8d6a-15aa3b0a5d7d", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:40:52.314Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 808 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x264b2" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetUserName": "elastictest1", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "2892", - "event_id": "4767", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:40:52.314Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "elastictest1" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:31:03.203244090Z", - "code": "4767", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "unlocked-user-account", "category": [ "iam" ], + "code": "4767", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4767_Account_Unlocked.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "elastictest1" + ] }, "user": { - "name": "Administrator", - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { - "name": "elastictest1", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1005" + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" + }, + "event_id": "4767", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2892", + "time_created": "2019-09-06T13:40:52.314Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json index b1edb24a147..9fc26d48bf3 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-expected.json @@ -1,113 +1,74 @@ { "expected": [ { + "@timestamp": "2019-09-06T13:38:17.556Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "e3cf97cd-7154-4089-afea-1b754fd47391", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:38:17.556Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 808 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x264b2" - }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", - "OldTargetUserName": "audittest0609", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetDomainName": "WIN-41OB2LO92CR", - "NewTargetUserName": "audittest06", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, - "opcode": "Info", - "record_id": "2873", - "event_id": "4781", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:38:17.556Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest06", - "audittest0609" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:31:03.945619446Z", - "code": "4781", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "renamed-user-account", "category": [ "iam" ], + "code": "4781", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest06", + "audittest0609" + ] }, "user": { - "name": "Administrator", "changes": { "name": "audittest06" }, - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { "name": "audittest0609" } - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "e3cf97cd-7154-4089-afea-1b754fd47391", - "type": "filebeat", - "version": "8.0.0" }, - "@timestamp": "2019-09-06T13:38:23.516Z", "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 808 - } + "event_data": { + "NewTargetUserName": "audittest06", + "OldTargetUserName": "audittest0609", + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006" }, + "event_id": "4781", "keywords": [ "Audit Success" ], @@ -115,71 +76,108 @@ "logon": { "id": "0x264b2" }, - "channel": "Security", - "event_data": { - "SubjectUserName": "Administrator", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006", - "OldTargetUserName": "audittest06", - "SubjectDomainName": "WIN-41OB2LO92CR", - "SubjectLogonId": "0x264b2", - "TargetDomainName": "WIN-41OB2LO92CR", - "NewTargetUserName": "audittest0609", - "PrivilegeList": "-", - "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" - }, "opcode": "Info", - "record_id": "2875", - "event_id": "4781", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", - "time_created": "2019-09-06T13:38:23.516Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "2873", + "time_created": "2019-09-06T13:38:17.556Z" + } + }, + { + "@timestamp": "2019-09-06T13:38:23.516Z", + "agent": { + "ephemeral_id": "e3cf97cd-7154-4089-afea-1b754fd47391", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator", - "audittest0609", - "audittest06" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:31:03.945622304Z", - "code": "4781", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "renamed-user-account", "category": [ "iam" ], + "code": "4781", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "change" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4781_Account_Renamed.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator", + "audittest0609", + "audittest06" + ] }, "user": { - "name": "Administrator", "changes": { "name": "audittest0609" }, - "id": "S-1-5-21-101361758-2486510592-3018839910-500", "domain": "WIN-41OB2LO92CR", + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator", "target": { "name": "audittest06" } + }, + "winlog": { + "activity_id": "{1200ce16-64b6-0000-0ed0-0012b664d501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "NewTargetUserName": "audittest0609", + "OldTargetUserName": "audittest06", + "PrivilegeList": "-", + "SubjectDomainName": "WIN-41OB2LO92CR", + "SubjectLogonId": "0x264b2", + "SubjectUserName": "Administrator", + "SubjectUserSid": "S-1-5-21-101361758-2486510592-3018839910-500", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1006" + }, + "event_id": "4781", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x264b2" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 808 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2875", + "time_created": "2019-09-06T13:38:23.516Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json index a8d4e618e6e..241bd74fe04 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4798.json-expected.json @@ -1,92 +1,91 @@ { "expected": [ { + "@timestamp": "2019-10-08T10:20:34.053Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "d7c725da-6710-4bcf-b920-15c37a8b1d86", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-08T10:20:34.053Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 1740 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "channel": "Security", - "event_data": { - "CallerProcessId": "0x3f0", - "SubjectUserName": "WIN-41OB2LO92CR$", - "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "TargetUserName": "elastictest1", - "CallerProcessName": "C:\\Windows\\System32\\LogonUI.exe", - "TargetDomainName": "WIN-41OB2LO92CR", - "SubjectUserSid": "S-1-5-18" - }, - "opcode": "Info", - "record_id": "2996", - "event_id": "4798", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", - "time_created": "2019-10-08T10:20:34.053Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-41OB2LO92CR$", - "elastictest1" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:31:04.611015465Z", - "code": "4798", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "group-membership-enumerated", "category": [ "iam" ], + "code": "4798", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "user", "info" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4798.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-41OB2LO92CR$", + "elastictest1" + ] }, "user": { - "name": "WIN-41OB2LO92CR$", - "id": "S-1-5-18", "domain": "WORKGROUP", + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$", "target": { - "name": "elastictest1", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1005" + "id": "S-1-5-21-101361758-2486510592-3018839910-1005", + "name": "elastictest1" } + }, + "winlog": { + "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "CallerProcessId": "0x3f0", + "CallerProcessName": "C:\\Windows\\System32\\LogonUI.exe", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetSid": "S-1-5-21-101361758-2486510592-3018839910-1005", + "TargetUserName": "elastictest1" + }, + "event_id": "4798", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 1740 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "2996", + "time_created": "2019-10-08T10:20:34.053Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json index 2d9c3591e01..d741c0b47f7 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-4799.json-expected.json @@ -1,91 +1,90 @@ { "expected": [ { + "@timestamp": "2019-10-08T10:20:44.472Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "3e299efc-a8d9-4a33-9acf-dbf6c4cd8ba4", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-10-08T10:20:44.472Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 820 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "id": "0x3e7" - }, - "channel": "Security", - "event_data": { - "CallerProcessId": "0x494", - "SubjectUserName": "WIN-41OB2LO92CR$", - "TargetSid": "S-1-5-32-544", - "SubjectDomainName": "WORKGROUP", - "SubjectLogonId": "0x3e7", - "TargetUserName": "Administrators", - "CallerProcessName": "C:\\Windows\\System32\\svchost.exe", - "TargetDomainName": "Builtin", - "SubjectUserSid": "S-1-5-18" - }, - "opcode": "Info", - "record_id": "3002", - "event_id": "4799", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", - "time_created": "2019-10-08T10:20:44.472Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "WIN-41OB2LO92CR$" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:31:04.915292010Z", - "code": "4799", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "user-member-enumerated", "category": [ "iam" ], + "code": "4799", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "group", "info" - ], - "outcome": "success" + ] + }, + "group": { + "domain": "Builtin", + "id": "S-1-5-32-544", + "name": "Administrators" + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016_4799.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "WIN-41OB2LO92CR$" + ] }, "user": { - "name": "WIN-41OB2LO92CR$", "domain": "WORKGROUP", - "id": "S-1-5-18" + "id": "S-1-5-18", + "name": "WIN-41OB2LO92CR$" }, - "group": { - "name": "Administrators", - "domain": "Builtin", - "id": "S-1-5-32-544" + "winlog": { + "activity_id": "{c3ff3c1c-7dc1-0000-233e-ffc3c17dd501}", + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "CallerProcessId": "0x494", + "CallerProcessName": "C:\\Windows\\System32\\svchost.exe", + "SubjectDomainName": "WORKGROUP", + "SubjectLogonId": "0x3e7", + "SubjectUserName": "WIN-41OB2LO92CR$", + "SubjectUserSid": "S-1-5-18", + "TargetDomainName": "Builtin", + "TargetSid": "S-1-5-32-544", + "TargetUserName": "Administrators" + }, + "event_id": "4799", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x3e7" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "3002", + "time_created": "2019-10-08T10:20:44.472Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json index 784184798b4..599cf204d37 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2016-logoff.json-expected.json @@ -1,159 +1,157 @@ { "expected": [ { + "@timestamp": "2019-05-17T11:06:58.210Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "3b9c486d-b279-48cc-bee6-45548541f490", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, - "@timestamp": "2019-05-17T11:06:58.210Z", - "winlog": { - "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 776, - "thread": { - "id": 540 - } - }, - "keywords": [ - "Audit Success" - ], - "level": "information", - "logon": { - "type": "Network", - "id": "0x767a77" - }, - "channel": "Security", - "event_data": { - "TargetLogonId": "0x767a77", - "LogonType": "3", - "TargetUserName": "audittest", - "TargetDomainName": "WIN-41OB2LO92CR", - "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-1000" - }, - "opcode": "Info", - "record_id": "485", - "event_id": "4634", - "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-05-17T11:06:58.210Z", - "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "audittest" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:31:05.692685883Z", - "code": "4634", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-out", "category": [ "authentication" ], + "code": "4634", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "end" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "audittest" + ] }, "user": { - "name": "audittest", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-1000" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "3b9c486d-b279-48cc-bee6-45548541f490", - "type": "filebeat", - "version": "8.0.0" + "id": "S-1-5-21-101361758-2486510592-3018839910-1000", + "name": "audittest" }, - "@timestamp": "2019-05-19T16:15:38.542Z", "winlog": { + "channel": "Security", "computer_name": "WIN-41OB2LO92CR", - "process": { - "pid": 780, - "thread": { - "id": 820 - } + "event_data": { + "LogonType": "3", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetLogonId": "0x767a77", + "TargetUserName": "audittest", + "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-1000" }, + "event_id": "4634", "keywords": [ "Audit Success" ], "level": "information", "logon": { - "type": "Network", - "id": "0x104a4a6" - }, - "channel": "Security", - "event_data": { - "TargetLogonId": "0x104a4a6", - "LogonType": "3", - "TargetUserName": "Administrator", - "TargetDomainName": "WIN-41OB2LO92CR", - "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "0x767a77", + "type": "Network" }, "opcode": "Info", - "record_id": "747", - "event_id": "4634", + "outcome": "success", + "process": { + "pid": 776, + "thread": { + "id": 540 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-05-19T16:15:38.542Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "485", + "time_created": "2019-05-17T11:06:58.210Z" + } + }, + { + "@timestamp": "2019-05-19T16:15:38.542Z", + "agent": { + "ephemeral_id": "3b9c486d-b279-48cc-bee6-45548541f490", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "Administrator" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.xml" - } - }, - "host": { - "name": "WIN-41OB2LO92CR" - }, "event": { - "ingested": "2022-01-12T04:31:05.692688458Z", - "code": "4634", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "logged-out", "category": [ "authentication" ], + "code": "4634", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "end" - ], - "outcome": "success" + ] + }, + "host": { + "name": "WIN-41OB2LO92CR" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2016-logoff.xml" + }, + "level": "information" + }, + "related": { + "user": [ + "Administrator" + ] }, "user": { - "name": "Administrator", "domain": "WIN-41OB2LO92CR", - "id": "S-1-5-21-101361758-2486510592-3018839910-500" + "id": "S-1-5-21-101361758-2486510592-3018839910-500", + "name": "Administrator" + }, + "winlog": { + "channel": "Security", + "computer_name": "WIN-41OB2LO92CR", + "event_data": { + "LogonType": "3", + "TargetDomainName": "WIN-41OB2LO92CR", + "TargetLogonId": "0x104a4a6", + "TargetUserName": "Administrator", + "TargetUserSid": "S-1-5-21-101361758-2486510592-3018839910-500" + }, + "event_id": "4634", + "keywords": [ + "Audit Success" + ], + "level": "information", + "logon": { + "id": "0x104a4a6", + "type": "Network" + }, + "opcode": "Info", + "outcome": "success", + "process": { + "pid": 780, + "thread": { + "id": 820 + } + }, + "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", + "provider_name": "Microsoft-Windows-Security-Auditing", + "record_id": "747", + "time_created": "2019-05-19T16:15:38.542Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json index ebd3f37dd7b..d69d247abe7 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json @@ -1,37 +1,86 @@ { "expected": [ { + "@timestamp": "2019-11-14T17:10:15.151Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "533cc04e-1719-48a1-ac94-731ac0fffcb7", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "created-process", + "category": [ + "process" + ], + "code": "4688", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "start" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.xml" + }, + "level": "information" + }, "process": { "args": [ "\"C:\\Windows\\system32\\wevtutil.exe\"", "cl", "Security" ], + "command_line": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security", + "executable": "C:\\Windows\\System32\\wevtutil.exe", "name": "wevtutil.exe", "parent": { + "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "name": "powershell.exe", - "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" + "pid": 4652 }, - "pid": 4556, - "executable": "C:\\Windows\\System32\\wevtutil.exe", - "command_line": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security" + "pid": 4556 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "effective": { + "id": "S-1-0-0" + }, + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" }, - "@timestamp": "2019-11-14T17:10:15.151Z", "winlog": { + "channel": "Security", "computer_name": "vagrant", - "process": { - "pid": 4, - "thread": { - "id": 5076 - } + "event_data": { + "CommandLine": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security", + "MandatoryLabel": "S-1-16-12288", + "ProcessId": "0x122c", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "TargetDomainName": "-", + "TargetLogonId": "0x0", + "TargetUserName": "-", + "TargetUserSid": "S-1-0-0", + "TokenElevationType": "%%1937" }, + "event_id": "4688", "keywords": [ "Audit Success" ], @@ -39,68 +88,19 @@ "logon": { "id": "0x274a2" }, - "channel": "Security", - "event_data": { - "MandatoryLabel": "S-1-16-12288", - "TargetLogonId": "0x0", - "CommandLine": "\"C:\\Windows\\system32\\wevtutil.exe\" cl Security", - "SubjectUserName": "vagrant", - "TokenElevationType": "%%1937", - "SubjectDomainName": "VAGRANT", - "SubjectLogonId": "0x274a2", - "ProcessId": "0x122c", - "TargetUserName": "-", - "TargetDomainName": "-", - "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000", - "TargetUserSid": "S-1-0-0" - }, "opcode": "Info", - "version": 2, - "record_id": "5010", - "event_id": "4688", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 5076 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-11-14T17:10:15.151Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "vagrant" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4688_Process_Created.xml" - } - }, - "host": { - "name": "vagrant" - }, - "event": { - "ingested": "2022-01-12T04:31:06.389630910Z", - "code": "4688", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "created-process", - "category": [ - "process" - ], - "type": [ - "start" - ], - "outcome": "success" - }, - "user": { - "name": "vagrant", - "effective": { - "id": "S-1-0-0" - }, - "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", - "domain": "VAGRANT" + "record_id": "5010", + "time_created": "2019-11-14T17:10:15.151Z", + "version": 2 } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json index 09789b3c00d..037053f39e9 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-expected.json @@ -1,27 +1,65 @@ { "expected": [ { + "@timestamp": "2019-11-14T21:26:49.496Z", "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", "type": "filebeat", "version": "8.0.0" }, + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "exited-process", + "category": [ + "process" + ], + "code": "4689", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", + "type": [ + "end" + ] + }, + "host": { + "name": "vagrant" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + }, + "level": "information" + }, "process": { + "executable": "C:\\Windows\\System32\\wevtutil.exe", "name": "wevtutil.exe", - "pid": 5412, - "executable": "C:\\Windows\\System32\\wevtutil.exe" + "pid": 5412 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" }, - "@timestamp": "2019-11-14T21:26:49.496Z", "winlog": { + "channel": "Security", "computer_name": "vagrant", - "process": { - "pid": 4, - "thread": { - "id": 1168 - } + "event_data": { + "Status": "0x0", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" }, + "event_id": "4689", "keywords": [ "Audit Success" ], @@ -29,81 +67,80 @@ "logon": { "id": "0x274a2" }, - "channel": "Security", - "event_data": { - "Status": "0x0", - "SubjectUserName": "vagrant", - "SubjectDomainName": "VAGRANT", - "SubjectLogonId": "0x274a2", - "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" - }, "opcode": "Info", - "record_id": "7538", - "event_id": "4689", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 1168 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-11-14T21:26:49.496Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "7538", + "time_created": "2019-11-14T21:26:49.496Z" + } + }, + { + "@timestamp": "2019-11-14T21:27:46.960Z", + "agent": { + "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" - } - }, - "host": { - "name": "vagrant" - }, "event": { - "ingested": "2022-01-12T04:31:07.131211174Z", - "code": "4689", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "exited-process", "category": [ "process" ], + "code": "4689", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "end" - ], - "outcome": "success" + ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT", - "id": "S-1-5-21-1610636575-2290000098-1654242922-1000" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\taskhostw.exe", "name": "taskhostw.exe", - "pid": 3988, - "executable": "C:\\Windows\\System32\\taskhostw.exe" + "pid": 3988 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" }, - "@timestamp": "2019-11-14T21:27:46.960Z", "winlog": { + "channel": "Security", "computer_name": "vagrant", - "process": { - "pid": 4, - "thread": { - "id": 500 - } + "event_data": { + "Status": "0x0", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274f1", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" }, + "event_id": "4689", "keywords": [ "Audit Success" ], @@ -111,81 +148,80 @@ "logon": { "id": "0x274f1" }, - "channel": "Security", - "event_data": { - "Status": "0x0", - "SubjectUserName": "vagrant", - "SubjectDomainName": "VAGRANT", - "SubjectLogonId": "0x274f1", - "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" - }, "opcode": "Info", - "record_id": "7542", - "event_id": "4689", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 500 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-11-14T21:27:46.960Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" + "record_id": "7542", + "time_created": "2019-11-14T21:27:46.960Z" + } + }, + { + "@timestamp": "2019-11-14T21:28:18.460Z", + "agent": { + "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6", + "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", + "name": "Lees-MBP.localdomain", + "type": "filebeat", + "version": "8.0.0" }, "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" - } - }, - "host": { - "name": "vagrant" - }, "event": { - "ingested": "2022-01-12T04:31:07.131213395Z", - "code": "4689", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", "action": "exited-process", "category": [ "process" ], + "code": "4689", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Security-Auditing", "type": [ "end" - ], - "outcome": "success" + ] }, - "user": { - "name": "vagrant", - "domain": "VAGRANT", - "id": "S-1-5-21-1610636575-2290000098-1654242922-1000" - } - }, - { - "agent": { - "name": "Lees-MBP.localdomain", - "id": "3cdc1e10-ded0-4f5d-8434-ede1d1120b17", - "ephemeral_id": "fb28c8e2-a7cd-49c5-8765-83f5037ec4f6", - "type": "filebeat", - "version": "8.0.0" + "host": { + "name": "vagrant" + }, + "log": { + "file": { + "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" + }, + "level": "information" }, "process": { + "executable": "C:\\Windows\\System32\\wevtutil.exe", "name": "wevtutil.exe", - "pid": 2760, - "executable": "C:\\Windows\\System32\\wevtutil.exe" + "pid": 2760 + }, + "related": { + "user": [ + "vagrant" + ] + }, + "user": { + "domain": "VAGRANT", + "id": "S-1-5-21-1610636575-2290000098-1654242922-1000", + "name": "vagrant" }, - "@timestamp": "2019-11-14T21:28:18.460Z", "winlog": { + "channel": "Security", "computer_name": "vagrant", - "process": { - "pid": 4, - "thread": { - "id": 5636 - } + "event_data": { + "Status": "0x0", + "SubjectDomainName": "VAGRANT", + "SubjectLogonId": "0x274a2", + "SubjectUserName": "vagrant", + "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" }, + "event_id": "4689", "keywords": [ "Audit Success" ], @@ -193,57 +229,18 @@ "logon": { "id": "0x274a2" }, - "channel": "Security", - "event_data": { - "Status": "0x0", - "SubjectUserName": "vagrant", - "SubjectDomainName": "VAGRANT", - "SubjectLogonId": "0x274a2", - "SubjectUserSid": "S-1-5-21-1610636575-2290000098-1654242922-1000" - }, "opcode": "Info", - "record_id": "7544", - "event_id": "4689", + "outcome": "success", + "process": { + "pid": 4, + "thread": { + "id": 5636 + } + }, "provider_guid": "{54849625-5478-4994-a5ba-3e3b0328c30d}", - "time_created": "2019-11-14T21:28:18.460Z", "provider_name": "Microsoft-Windows-Security-Auditing", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "related": { - "user": [ - "vagrant" - ] - }, - "log": { - "level": "information", - "file": { - "path": "/Users/leehinman/src/beats/x-pack/winlogbeat/module/security/test/testdata/security-windows2019_4689_Process_Exited.xml" - } - }, - "host": { - "name": "vagrant" - }, - "event": { - "ingested": "2022-01-12T04:31:07.131214301Z", - "code": "4689", - "provider": "Microsoft-Windows-Security-Auditing", - "kind": "event", - "action": "exited-process", - "category": [ - "process" - ], - "type": [ - "end" - ], - "outcome": "success" - }, - "user": { - "name": "vagrant", - "domain": "VAGRANT", - "id": "S-1-5-21-1610636575-2290000098-1654242922-1000" + "record_id": "7544", + "time_created": "2019-11-14T21:28:18.460Z" } } ] diff --git a/packages/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json b/packages/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json index 3f2e97fdd83..bc2f80493df 100644 --- a/packages/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json +++ b/packages/system/data_stream/security/_dev/test/pipeline/test-unknown.json-expected.json @@ -2,33 +2,32 @@ "expected": [ { "@timestamp": "2019-11-07T10:37:04.226Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "code": "65536", + "kind": "event", + "outcome": "success", + "provider": "Microsoft-Windows-Eventlog" + }, + "log": { + "level": "information" + }, "winlog": { + "channel": "Security", "computer_name": "WIN-41OB2LO92CR.wlbeat.local", - "record_id": "65536", "event_id": "65536", "keywords": [ "Unknown Event ID" ], "level": "information", - "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", - "channel": "Security", - "time_created": "2019-11-07T10:37:04.226Z", "opcode": "Info", + "outcome": "success", + "provider_guid": "{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}", "provider_name": "Microsoft-Windows-Eventlog", - "outcome": "success" - }, - "ecs": { - "version": "8.0.0" - }, - "log": { - "level": "information" - }, - "event": { - "ingested": "2022-01-12T04:31:08.437324839Z", - "code": "65536", - "provider": "Microsoft-Windows-Eventlog", - "kind": "event", - "outcome": "success" + "record_id": "65536", + "time_created": "2019-11-07T10:37:04.226Z" } } ] diff --git a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml index fd88f3d3d58..99276e771f9 100644 --- a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml +++ b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/default.yml @@ -1,9 +1,6 @@ --- description: Pipeline for Security events processors: - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - convert: field: event.code type: string diff --git a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml index 8cd3dcc16c5..41c2a8c11a6 100644 --- a/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml +++ b/packages/system/data_stream/security/elasticsearch/ingest_pipeline/standard.yml @@ -2853,6 +2853,22 @@ processors: def parts = ctx.process.parent.executable.splitOnToken("\\"); ctx.process.parent.put("name", parts[-1]); } + if (ctx?.winlog?.event_data?.ProcessId != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx?.process?.parent == null) { + HashMap hm = new HashMap(); + ctx.process.put("parent", hm); + } + if (ctx.winlog.event_data.ProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.ProcessId); + ctx.process.parent.put("pid", pid.longValue()); + } else { + ctx.process.parent.put("pid", ctx.winlog.event_data.ProcessId); + } + } if (ctx?.winlog?.event_data?.CommandLine != null) { int start = 0; int end = 0; diff --git a/packages/system/data_stream/security/fields/ecs.yml b/packages/system/data_stream/security/fields/ecs.yml index 63d614f0871..8d1b2e2f337 100644 --- a/packages/system/data_stream/security/fields/ecs.yml +++ b/packages/system/data_stream/security/fields/ecs.yml @@ -52,6 +52,8 @@ name: process.parent.executable - external: ecs name: process.parent.name +- external: ecs + name: process.parent.pid - external: ecs name: process.pid - external: ecs diff --git a/packages/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-expected.json b/packages/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-expected.json index 357135d2057..2275efb2272 100644 --- a/packages/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-expected.json +++ b/packages/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog-sample.log-expected.json @@ -1,51 +1,48 @@ { "expected": [ { - "process": { - "name": "GoogleSoftwareUpdateAgent", - "pid": 21412 - }, - "system": { - "syslog": {} - }, "@timestamp": "2022-12-13T11:35:28.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "kind": "event", "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine \u003cKSUpdateEngine:0x100341a00\n\t\tticketStore=\u003cKSPersistentTicketStore:0x100204520 store=\u003cKSKeyedPersistentStore:0x100213290\n\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore\"\n\t\t\tlockFile=\u003cKSLockFile:0x1002160e0\n\t\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore.lock\"\n\t\t\t\tlocked=NO\n\t\t\t\u003e\n\t\t\u003e\u003e\n\t\tprocessor=\u003cKSActionProcessor:0x1003bb5f0\n\t\t\tdelegate=\u003cKSUpdateEngine:0x100341a00\u003e\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t\u003e\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t\u003e" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine \u003cKSUpdateEngine:0x100341a00\n\t\tticketStore=\u003cKSPersistentTicketStore:0x100204520 store=\u003cKSKeyedPersistentStore:0x100213290\n\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore\"\n\t\t\tlockFile=\u003cKSLockFile:0x1002160e0\n\t\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore.lock\"\n\t\t\t\tlocked=NO\n\t\t\t\u003e\n\t\t\u003e\u003e\n\t\tprocessor=\u003cKSActionProcessor:0x1003bb5f0\n\t\t\tdelegate=\u003cKSUpdateEngine:0x100341a00\u003e\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t\u003e\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t\u003e", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:28.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "kind": "event", "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.", + "process": { + "name": "GoogleSoftwareUpdateAgent", + "pid": 21412 + }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-04-04T03:39:57.000-02:00", "ecs": { "version": "8.0.0" @@ -54,7 +51,10 @@ "kind": "event", "timezone": "GMT-0200" }, - "message": "--- last message repeated 1 time ---" + "message": "--- last message repeated 1 time ---", + "system": { + "syslog": {} + } } ] } \ No newline at end of file diff --git a/packages/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-expected.json b/packages/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-expected.json index a1650bb7d46..c8cd429367a 100644 --- a/packages/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-expected.json +++ b/packages/system/data_stream/syslog/_dev/test/pipeline/test-darwin-syslog.log-expected.json @@ -1,7609 +1,7609 @@ { "expected": [ { + "@timestamp": "2022-12-13T11:35:28.000-02:00", + "ecs": { + "version": "8.0.0" + }, + "event": { + "timezone": "GMT-0200" + }, + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:28.419 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp performSelfUpdateWithEngine:] Finished self update check.", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:28.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:28.419 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp performSelfUpdateWithEngine:] Finished self update check." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine \u003cKSUpdateEngine:0x100341a00\n\t\tticketStore=\u003cKSPersistentTicketStore:0x100204520 store=\u003cKSKeyedPersistentStore:0x100213290\n\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore\"\n\t\t\tlockFile=\u003cKSLockFile:0x1002160e0\n\t\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore.lock\"\n\t\t\t\tlocked=NO\n\t\t\t\u003e\n\t\t\u003e\u003e\n\t\tprocessor=\u003cKSActionProcessor:0x1003bb5f0\n\t\t\tdelegate=\u003cKSUpdateEngine:0x100341a00\u003e\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t\u003e\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t\u003e", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:28.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:28.420 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Checking for updates for \"All Products\" using engine \u003cKSUpdateEngine:0x100341a00\n\t\tticketStore=\u003cKSPersistentTicketStore:0x100204520 store=\u003cKSKeyedPersistentStore:0x100213290\n\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore\"\n\t\t\tlockFile=\u003cKSLockFile:0x1002160e0\n\t\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore.lock\"\n\t\t\t\tlocked=NO\n\t\t\t\u003e\n\t\t\u003e\u003e\n\t\tprocessor=\u003cKSActionProcessor:0x1003bb5f0\n\t\t\tdelegate=\u003cKSUpdateEngine:0x100341a00\u003e\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t\u003e\n\t\tdelegate=(null)\n\t\tserverInfoStore=(null)\n\t\terrors=0\n\t\u003e" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'.", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:28.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:28.421 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine updateAllExceptProduct:] KSUpdateEngine updating all installed products, except:'com.google.Keystone'." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:28.422 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSCheckAction performAction] KSCheckAction checking 2 ticket(s).", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:28.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:28.422 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSCheckAction performAction] KSCheckAction checking 2 ticket(s)." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:28.428 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction starting update check for ticket(s): {(\n\t\t\u003cKSTicket:0x100550bd0\n\t\t\tproductID=com.google.Chrome\n\t\t\tversion=54.0.2840.98\n\t\t\txc=\u003cKSPathExistenceChecker:0x1005507d0 path=/Applications/Google Chrome.app\u003e\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-06-25 15:40:23\n\t\t\ttagPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\ttagKey=KSChannelID\n\t\t\tbrandPath=/Users/tsg/Library/Google/Google Chrome Brand.plist\n\t\t\tbrandKey=KSBrandID\n\t\t\tversionPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\tversionKey=KSVersion\n\t\t\tcohort=1:1y5:gy3@0.05\n\t\t\tcohortName=Stable\n\t\t\tticketVersion=1\n\t\t\u003e,\n\t\t\u003cKSTicket:0x100555140\n\t\t\tproductID=com.google.GoogleDrive\n\t\t\tversion=1.32.3889.0961\n\t\t\txc=\u003cKSPathExistenceChecker:0x100554490 path=/Applications/Google Drive.app\u003e\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-09-11 20:38:12\n\t\t\tticketVersion=1\n\t\t\u003e\n\t)}\n\tUsing server: \u003cKSOmahaServer:0x100555120\n\t\tengine=\u003cKSUpdateEngine:0x100341a00\u003e\n\t\u003e", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:28.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:28.428 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction starting update check for ticket(s): {(\n\t\t\u003cKSTicket:0x100550bd0\n\t\t\tproductID=com.google.Chrome\n\t\t\tversion=54.0.2840.98\n\t\t\txc=\u003cKSPathExistenceChecker:0x1005507d0 path=/Applications/Google Chrome.app\u003e\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-06-25 15:40:23\n\t\t\ttagPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\ttagKey=KSChannelID\n\t\t\tbrandPath=/Users/tsg/Library/Google/Google Chrome Brand.plist\n\t\t\tbrandKey=KSBrandID\n\t\t\tversionPath=/Applications/Google Chrome.app/Contents/Info.plist\n\t\t\tversionKey=KSVersion\n\t\t\tcohort=1:1y5:gy3@0.05\n\t\t\tcohortName=Stable\n\t\t\tticketVersion=1\n\t\t\u003e,\n\t\t\u003cKSTicket:0x100555140\n\t\t\tproductID=com.google.GoogleDrive\n\t\t\tversion=1.32.3889.0961\n\t\t\txc=\u003cKSPathExistenceChecker:0x100554490 path=/Applications/Google Drive.app\u003e\n\t\t\tserverType=Omaha\n\t\t\turl=https://tools.google.com/service/update2\n\t\t\tcreationDate=2015-09-11 20:38:12\n\t\t\tticketVersion=1\n\t\t\u003e\n\t)}\n\tUsing server: \u003cKSOmahaServer:0x100555120\n\t\tengine=\u003cKSUpdateEngine:0x100341a00\u003e\n\t\u003e" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:28.446 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Chrome.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.Chrome\")'", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:35:28.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:35:29.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:28.446 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Chrome.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.Chrome\")'" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:29.430 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Drive.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.GoogleDrive\")'", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:35:29.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:29.430 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] +[KSCodeSigningVerification verifyBundle:applicationId:error:] KSCodeSigningVerification verifying code signing for '/Applications/Google Drive.app' with the requirement 'anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU]=\"EQHXZ8M8AV\" and (identifier=\"com.google.GoogleDrive\")'" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.115 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction running KSServerUpdateRequest: \u003cKSOmahaServerUpdateRequest:0x100480470\n\t\tserver=\u003cKSOmahaServer:0x100555120\u003e\n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"\n\t\tfallbackURLs=(\n\t\t\thttp://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1617080069\n\t\t)\n\t\trunningFetchers=0\n\t\ttickets=2\n\t\tbody=\n\t\t\t\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e\n\t\t\t\u003crequest protocol=\"3.0\" version=\"KeystoneAgent-1.2.6.1370\" ismachine=\"0\" requestid=\"{8F3B41E7-420E-4526-887D-C40439FD9A8E}\" dedup=\"cr\" sessionid=\"{3BD434BD-06BC-40C7-9A27-EFE887A149E3}\"\u003e\n\t\t\t \u003cos platform=\"mac\" version=\"10.12\" arch=\"x86_64h\" sp=\"10.12.0_x86_64h\"\u003e\u003c/os\u003e\n\t\t\t \u003capp appid=\"com.google.Chrome\" version=\"54.0.2840.98\" cohort=\"1:1y5:gy3@0.05\" cohortname=\"Stable\" lang=\"en-us\" installage=\"536\" installdate=\"3479\" brand=\"GGRO\" _numaccounts=\"1\" _numsignedin=\"1\" signed=\"1\"\u003e\n\t\t\t \u003cping r=\"1\" rd=\"3633\" a=\"1\" ad=\"3633\" ping_freshness=\"{6001AB3C-5253-44A9-94A9-CD4493ED14F9}\"\u003e\u003c/ping\u003e\n\t\t\t \u003cupdatecheck\u003e\u003c/updatecheck\u003e\n\t\t\t \u003c/app\u003e\n\t\t\t \u003capp appid=\"com.google.GoogleDrive\" version=\"1.32.3889.0961\" lang=\"en-us\" installage=\"458\" installdate=\"3479\" brand=\"GGLG\" signed=\"1\"\u003e\n\t\t\t \u003cping r=\"1\" rd=\"3633\" a=\"1\" ad=\"3633\" ping_freshness=\"{1BFFDCCA-5966-4598-819C-C1D075E480C5}\"\u003e\u003c/ping\u003e\n\t\t\t \u003cupdatecheck\u003e\u003c/updatecheck\u003e\n\t\t\t \u003c/app\u003e\n\t\t\t\u003c/request\u003e\n\t\theaders={\n\t\t\t\"X-GoogleUpdate-Interactivity\" = bg;\n\t\t}\n\t\u003e", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.115 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction performAction] KSUpdateCheckAction running KSServerUpdateRequest: \u003cKSOmahaServerUpdateRequest:0x100480470\n\t\tserver=\u003cKSOmahaServer:0x100555120\u003e\n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"\n\t\tfallbackURLs=(\n\t\t\thttp://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1617080069\n\t\t)\n\t\trunningFetchers=0\n\t\ttickets=2\n\t\tbody=\n\t\t\t\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e\n\t\t\t\u003crequest protocol=\"3.0\" version=\"KeystoneAgent-1.2.6.1370\" ismachine=\"0\" requestid=\"{8F3B41E7-420E-4526-887D-C40439FD9A8E}\" dedup=\"cr\" sessionid=\"{3BD434BD-06BC-40C7-9A27-EFE887A149E3}\"\u003e\n\t\t\t \u003cos platform=\"mac\" version=\"10.12\" arch=\"x86_64h\" sp=\"10.12.0_x86_64h\"\u003e\u003c/os\u003e\n\t\t\t \u003capp appid=\"com.google.Chrome\" version=\"54.0.2840.98\" cohort=\"1:1y5:gy3@0.05\" cohortname=\"Stable\" lang=\"en-us\" installage=\"536\" installdate=\"3479\" brand=\"GGRO\" _numaccounts=\"1\" _numsignedin=\"1\" signed=\"1\"\u003e\n\t\t\t \u003cping r=\"1\" rd=\"3633\" a=\"1\" ad=\"3633\" ping_freshness=\"{6001AB3C-5253-44A9-94A9-CD4493ED14F9}\"\u003e\u003c/ping\u003e\n\t\t\t \u003cupdatecheck\u003e\u003c/updatecheck\u003e\n\t\t\t \u003c/app\u003e\n\t\t\t \u003capp appid=\"com.google.GoogleDrive\" version=\"1.32.3889.0961\" lang=\"en-us\" installage=\"458\" installdate=\"3479\" brand=\"GGLG\" signed=\"1\"\u003e\n\t\t\t \u003cping r=\"1\" rd=\"3633\" a=\"1\" ad=\"3633\" ping_freshness=\"{1BFFDCCA-5966-4598-819C-C1D075E480C5}\"\u003e\u003c/ping\u003e\n\t\t\t \u003cupdatecheck\u003e\u003c/updatecheck\u003e\n\t\t\t \u003c/app\u003e\n\t\t\t\u003c/request\u003e\n\t\theaders={\n\t\t\t\"X-GoogleUpdate-Interactivity\" = bg;\n\t\t}\n\t\u003e" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.116 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher start fetch from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.116 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher start fetch from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.117 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) launchedHelperTaskForToolPath:error:] KSOutOfProcessFetcher launched '/Users/tsg/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch' with process id: 21414", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.117 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) launchedHelperTaskForToolPath:error:] KSOutOfProcessFetcher launched '/Users/tsg/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/MacOS/ksfetch' with process id: 21414" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher sending both request and download file location to the helper.", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher sending both request and download file location to the helper." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] KSSendAllDataToHelper() KSHelperTool wrote 2383 bytes to the helper input.", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] KSSendAllDataToHelper() KSHelperTool wrote 2383 bytes to the helper input." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] Closing the file handle.", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] Closing the file handle." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher fetching from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.118 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher beginFetchWithDelegate:] KSOutOfProcessFetcher fetching from URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.149 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] KSHelperReceiveAllData() KSHelperTool read 2383 bytes from stdin.", "process": { "name": "ksfetch", "pid": 21414 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.149 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] KSHelperReceiveAllData() KSHelperTool read 2383 bytes from stdin." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a request: \u003cNSMutableURLRequest: 0x100119140\u003e { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822 }", "process": { "name": "ksfetch", "pid": 21414 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a request: \u003cNSMutableURLRequest: 0x100119140\u003e { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822 }" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a download path: /tmp/KSOutOfProcessFetcher.QTqOLkktQz/download", "process": { "name": "ksfetch", "pid": 21414 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.151 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher received a download path: /tmp/KSOutOfProcessFetcher.QTqOLkktQz/download" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch fetching URL (\u003cNSMutableURLRequest: 0x100119140\u003e { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822 }) to folder:/tmp/KSOutOfProcessFetcher.QTqOLkktQz/download", "process": { "name": "ksfetch", "pid": 21414 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch fetching URL (\u003cNSMutableURLRequest: 0x100119140\u003e { URL: https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822 }) to folder:/tmp/KSOutOfProcessFetcher.QTqOLkktQz/download" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Setting up download file handles...", "process": { "name": "ksfetch", "pid": 21414 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.152 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Setting up download file handles..." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] -[FetchDelegate fetcher:finishedWithData:] Fetcher downloaded successfully data of length: 0", "process": { "name": "ksfetch", "pid": 21414 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] -[FetchDelegate fetcher:finishedWithData:] Fetcher downloaded successfully data of length: 0" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch done fetching.", "process": { "name": "ksfetch", "pid": 21414 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.348 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() ksfetch done fetching." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.351 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher is exiting.", "process": { "name": "ksfetch", "pid": 21414 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.351 ksfetch[21414/0x7fffcc3f93c0] [lvl=2] main() Fetcher is exiting." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperErrorAvailable:] KSOutOfProcessFetcher helper tool raw STDERR:\n\t:\t\u003c\u003e", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperErrorAvailable:] KSOutOfProcessFetcher helper tool raw STDERR:\n\t:\t\u003c\u003e" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperDidTerminate:] KSOutOfProcessFetcher fetch ended for URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.354 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOutOfProcessFetcher(PrivateMethods) helperDidTerminate:] KSOutOfProcessFetcher fetch ended for URL: \"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.355 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(KSServerUpdateRequestDelegate) serverRequest:fetchedWithResponse:] KSUpdateCheckAction received KSServerUpdateResponse: \u003cKSOmahaServerUpdateResponse:0x100559060\n\t\tserver=\u003cKSOmahaServer:0x100555120\u003e\n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"\n\t\ttickets=2\n\t\tstatus=200\n\t\tdata=\n\t\t\t\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e\n\t\t\t\u003cresponse protocol=\"3.0\" server=\"prod\"\u003e\n\t\t\t \u003cdaystart elapsed_days=\"3634\" elapsed_seconds=\"9330\"\u003e\u003c/daystart\u003e\n\t\t\t \u003capp appid=\"com.google.Chrome\" cohort=\"1:1y5:gy3@0.05\" cohortname=\"Stable\" status=\"ok\"\u003e\n\t\t\t \u003cping status=\"ok\"\u003e\u003c/ping\u003e\n\t\t\t \u003cupdatecheck status=\"noupdate\"\u003e\u003c/updatecheck\u003e\n\t\t\t \u003c/app\u003e\n\t\t\t \u003capp appid=\"com.google.GoogleDrive\" cohort=\"\" cohortname=\"\" status=\"ok\"\u003e\n\t\t\t \u003cping status=\"ok\"\u003e\u003c/ping\u003e\n\t\t\t \u003cupdatecheck status=\"noupdate\"\u003e\u003c/updatecheck\u003e\n\t\t\t \u003c/app\u003e\n\t\t\t\u003c/response\u003e\n\t\u003e", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.355 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(KSServerUpdateRequestDelegate) serverRequest:fetchedWithResponse:] KSUpdateCheckAction received KSServerUpdateResponse: \u003cKSOmahaServerUpdateResponse:0x100559060\n\t\tserver=\u003cKSOmahaServer:0x100555120\u003e\n\t\turl=\"https://tools.google.com/service/update2?cup2hreq=423332d883f010d5b10e169646ed851278047f76e6c5d4dbfa2233ef66e3b141\u0026cup2key=6:1566315822\"\n\t\ttickets=2\n\t\tstatus=200\n\t\tdata=\n\t\t\t\u003c?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?\u003e\n\t\t\t\u003cresponse protocol=\"3.0\" server=\"prod\"\u003e\n\t\t\t \u003cdaystart elapsed_days=\"3634\" elapsed_seconds=\"9330\"\u003e\u003c/daystart\u003e\n\t\t\t \u003capp appid=\"com.google.Chrome\" cohort=\"1:1y5:gy3@0.05\" cohortname=\"Stable\" status=\"ok\"\u003e\n\t\t\t \u003cping status=\"ok\"\u003e\u003c/ping\u003e\n\t\t\t \u003cupdatecheck status=\"noupdate\"\u003e\u003c/updatecheck\u003e\n\t\t\t \u003c/app\u003e\n\t\t\t \u003capp appid=\"com.google.GoogleDrive\" cohort=\"\" cohortname=\"\" status=\"ok\"\u003e\n\t\t\t \u003cping status=\"ok\"\u003e\u003c/ping\u003e\n\t\t\t \u003cupdatecheck status=\"noupdate\"\u003e\u003c/updatecheck\u003e\n\t\t\t \u003c/app\u003e\n\t\t\t\u003c/response\u003e\n\t\u003e" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.356 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOmahaServer updateInfosForUpdateResponse:updateRequest:infoStore:upToDateTickets:updatedTickets:events:errors:] Response passed CUP validation.", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.356 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSOmahaServer updateInfosForUpdateResponse:updateRequest:infoStore:upToDateTickets:updatedTickets:events:errors:] Response passed CUP validation." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.381 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(PrivateMethods) finishAction] KSUpdateCheckAction found updates: {( )}", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.381 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateCheckAction(PrivateMethods) finishAction] KSUpdateCheckAction found updates: {( )}" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSPrefetchAction performAction] KSPrefetchAction no updates to prefetch.", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSPrefetchAction performAction] KSPrefetchAction no updates to prefetch." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSSilentUpdateAction had no updates to apply.", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSSilentUpdateAction had no updates to apply." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSPromptAction had no updates to apply.", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSMultiUpdateAction performAction] KSPromptAction had no updates to apply." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneDelegate) updateEngineFinishedWithErrors:] Keystone finished: errors=0", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.384 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneDelegate) updateEngineFinishedWithErrors:] Keystone finished: errors=0" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:30.385 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine(PrivateMethods) updateFinish] KSUpdateEngine update processing complete.", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:35:30.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:35:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:30.385 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSUpdateEngine(PrivateMethods) updateFinish] KSUpdateEngine update processing complete." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:31.142 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Done checking for updates for '\"All Products\"' using engine \u003cKSUpdateEngine:0x100341a00\n\t\tticketStore=\u003cKSPersistentTicketStore:0x100204520 store=\u003cKSKeyedPersistentStore:0x100213290\n\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore\"\n\t\t\tlockFile=\u003cKSLockFile:0x1002160e0\n\t\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore.lock\"\n\t\t\t\tlocked=NO\n\t\t\t\u003e\n\t\t\u003e\u003e\n\t\tprocessor=\u003cKSActionProcessor:0x1002769e0\n\t\t\tdelegate=\u003cKSUpdateEngine:0x100341a00\u003e\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t\u003e\n\t\tdelegate=\u003cKSAgentApp: 0x10052a250\u003e\n\t\tserverInfoStore=\u003cKSServerPrivateInfoStore:0x100317b40 path=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/Servers\"\u003e\n\t\terrors=0\n\t\u003e", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:31.142 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp updateProductWithProductID:usingEngine:] Done checking for updates for '\"All Products\"' using engine \u003cKSUpdateEngine:0x100341a00\n\t\tticketStore=\u003cKSPersistentTicketStore:0x100204520 store=\u003cKSKeyedPersistentStore:0x100213290\n\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore\"\n\t\t\tlockFile=\u003cKSLockFile:0x1002160e0\n\t\t\t\tpath=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore.lock\"\n\t\t\t\tlocked=NO\n\t\t\t\u003e\n\t\t\u003e\u003e\n\t\tprocessor=\u003cKSActionProcessor:0x1002769e0\n\t\t\tdelegate=\u003cKSUpdateEngine:0x100341a00\u003e\n\t\t\tisProcessing=NO actionsCompleted=0 progress=0.00\n\t\t\terrors=0 currentActionErrors=0\n\t\t\tevents=0 currentActionEvents=0\n\t\t\tactionQueue=( )\n\t\t\u003e\n\t\tdelegate=\u003cKSAgentApp: 0x10052a250\u003e\n\t\tserverInfoStore=\u003cKSServerPrivateInfoStore:0x100317b40 path=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/Servers\"\u003e\n\t\terrors=0\n\t\u003e" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:31.302 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentUploader fetcher:finishedWithData:] Successfully uploaded stats to \u003cNSMutableURLRequest: 0x1003cbcd0\u003e { URL: https://tools.google.com/service/update2 }", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:31.302 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentUploader fetcher:finishedWithData:] Successfully uploaded stats to \u003cNSMutableURLRequest: 0x1003cbcd0\u003e { URL: https://tools.google.com/service/update2 }" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:31.431 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp uploadStats:] Successfully uploaded stats \u003cKSStatsCollection:0x100212570 path=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/Stats/Keystone.stats\", count=5, stats={\n\t checks = 2;\n\t tickets = 2;\n\t usertickets = 3;\n\t validtickets = 2;\n\t validusertickets = 3;\n\t}\u003e", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:35:31.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:35:32.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:31.431 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp uploadStats:] Successfully uploaded stats \u003cKSStatsCollection:0x100212570 path=\"/Users/tsg/Library/Google/GoogleSoftwareUpdate/Stats/Keystone.stats\", count=5, stats={\n\t checks = 2;\n\t tickets = 2;\n\t usertickets = 3;\n\t validtickets = 2;\n\t validusertickets = 3;\n\t}\u003e" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:32.508 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneThread) runKeystonesInThreadWithArg:] Finished with engine thread", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:35:32.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:32.508 GoogleSoftwareUpdateAgent[21412/0x700007399000] [lvl=2] -[KSAgentApp(KeystoneThread) runKeystonesInThreadWithArg:] Finished with engine thread" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 11:35:32.825 GoogleSoftwareUpdateAgent[21412/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp checkForUpdates] Finished update check.", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 21412 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:35:32.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:35:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 11:35:32.825 GoogleSoftwareUpdateAgent[21412/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp checkForUpdates] Finished update check." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000a8499d0 holds 0x2121212121212121 instead of 0x600006a22fa0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:35:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:37:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000a8499d0 holds 0x2121212121212121 instead of 0x600006a22fa0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f047240 holds 0x2121212121212121 instead of 0x608002231220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:37:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:38:45.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60800f047240 holds 0x2121212121212121 instead of 0x608002231220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21498])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:38:45.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:39:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000a256990 holds 0x2121212121212121 instead of 0x600006a22420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:39:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:41:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000a256990 holds 0x2121212121212121 instead of 0x600006a22420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x6080096475d0 holds 0x2121212121212121 instead of 0x608004e21280. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:41:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x6080096475d0 holds 0x2121212121212121 instead of 0x608004e21280. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", "process": { "name": "syslogd", "pid": 46 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:41:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:42:55.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "ASL Sender Statistics" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21556])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:42:55.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:45:18.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:45:18.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:45:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Unknown key for integer: _DirtyJetsamMemoryLimit" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000a85a860 holds 0x2121212121212121 instead of 0x600004a3b9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:45:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:47:06.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000a85a860 holds 0x2121212121212121 instead of 0x600004a3b9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21581])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:47:06.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:47:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x608009840580 holds 0x2121212121212121 instead of 0x608004a22940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:47:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:49:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x608009840580 holds 0x2121212121212121 instead of 0x608004a22940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x608009c5b700 holds 0x2121212121212121 instead of 0x608005830020. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:49:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:51:17.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x608009c5b700 holds 0x2121212121212121 instead of 0x608005830020. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21586])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:51:17.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:51:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800ee592d0 holds 0x2121212121212121 instead of 0x608005627220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T11:51:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60800ee592d0 holds 0x2121212121212121 instead of 0x608005627220. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", "process": { "name": "syslogd", "pid": 46 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:51:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:53:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "ASL Sender Statistics" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000c648290 holds 0x2121212121212121 instead of 0x6000050242a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:53:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:55:28.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000c648290 holds 0x2121212121212121 instead of 0x6000050242a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21589])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:55:28.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:55:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x600009840460 holds 0x2121212121212121 instead of 0x60000122e940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:55:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:56:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x600009840460 holds 0x2121212121212121 instead of 0x60000122e940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:56:30.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:57:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Unknown key for integer: _DirtyJetsamMemoryLimit" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000ee5b730 holds 0x2121212121212121 instead of 0x600007821c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:57:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T11:59:40.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000ee5b730 holds 0x2121212121212121 instead of 0x600007821c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21946])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T11:59:40.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:01:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x600006a49940 holds 0x2121212121212121 instead of 0x6000078202e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:01:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x600006a49940 holds 0x2121212121212121 instead of 0x6000078202e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", "process": { "name": "syslogd", "pid": 46 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:01:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:03:04.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "ASL Sender Statistics" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Invoked notification with id: d63743fb-f17b-4e9e-97d0-88e0e7304682", "process": { "name": "Slack Helper", "pid": 55199 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:03:04.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:03:51.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Invoked notification with id: d63743fb-f17b-4e9e-97d0-88e0e7304682" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21966])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:03:51.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:05:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f043dc0 holds 0x2121212121212121 instead of 0x6080026228c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:05:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:08:02.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60800f043dc0 holds 0x2121212121212121 instead of 0x6080026228c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[21981])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:08:02.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:09:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x608009a53600 holds 0x2121212121212121 instead of 0x608000629420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:09:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:11:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x608009a53600 holds 0x2121212121212121 instead of 0x608000629420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f259c30 holds 0x2121212121212121 instead of 0x608004a21c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:11:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60800f259c30 holds 0x2121212121212121 instead of 0x608004a21c20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", "process": { "name": "syslogd", "pid": 46 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:11:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:12:13.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "ASL Sender Statistics" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22226])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:12:13.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:13:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000c647d80 holds 0x2121212121212121 instead of 0x600006e3ee80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:13:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:15:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000c647d80 holds 0x2121212121212121 instead of 0x600006e3ee80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f053a80 holds 0x2121212121212121 instead of 0x608007227ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:15:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:16:24.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60800f053a80 holds 0x2121212121212121 instead of 0x608007227ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22241])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:16:24.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:17:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000a64ce80 holds 0x2121212121212121 instead of 0x600006629940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:17:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:19:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000a64ce80 holds 0x2121212121212121 instead of 0x600006629940. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000a843580 holds 0x2121212121212121 instead of 0x600006629540. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:19:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:20:35.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000a843580 holds 0x2121212121212121 instead of 0x600006629540. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22254])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:20:35.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:21:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f45b910 holds 0x2121212121212121 instead of 0x608005822c40. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:21:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60800f45b910 holds 0x2121212121212121 instead of 0x608005822c40. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", "process": { "name": "syslogd", "pid": 46 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:21:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:23:13.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "ASL Sender Statistics" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:23:13.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:23:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Unknown key for integer: _DirtyJetsamMemoryLimit" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000ea5edf0 holds 0x2121212121212121 instead of 0x600003a35a60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:23:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:24:46.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000ea5edf0 holds 0x2121212121212121 instead of 0x600003a35a60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22265])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:24:46.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:28:43.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Invoked notification with id: 52bf37d9-0c4e-4276-8789-9fc7704bdf5b", "process": { "name": "Slack Helper", "pid": 55199 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:28:43.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:28:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Invoked notification with id: 52bf37d9-0c4e-4276-8789-9fc7704bdf5b" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22292])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:28:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:29:06.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Invoked notification with id: c6c7e356-60a7-4b9e-a9b1-ecc2b8ad09f2", "process": { "name": "Slack Helper", "pid": 55199 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:29:06.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:29:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Invoked notification with id: c6c7e356-60a7-4b9e-a9b1-ecc2b8ad09f2" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f246430 holds 0x2121212121212121 instead of 0x608001c26d00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:29:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:31:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60800f246430 holds 0x2121212121212121 instead of 0x608001c26d00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800c85fd80 holds 0x2121212121212121 instead of 0x608005a3a420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:31:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60800c85fd80 holds 0x2121212121212121 instead of 0x608005a3a420. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { - "process": { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", + "process": { "name": "syslogd", "pid": 46 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:31:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:33:08.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "ASL Sender Statistics" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22305])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:33:08.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:33:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x600006452400 holds 0x2121212121212121 instead of 0x60000763bac0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:33:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:35:56.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x600006452400 holds 0x2121212121212121 instead of 0x60000763bac0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 12:35:56.416 GoogleSoftwareUpdateAgent[22318/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings: \u003cKSAgentSettings:0x100505750 bundleID=com.google.Keystone.Agent lastCheck=2016-12-13 10:35:32 +0000 checkInterval=18000.000000 uiDisplayInterval=604800.000000 sleepInterval=1800.000000 jitterInterval=900 maxRunInterval=0.000000 isConsoleUser=1 ticketStorePath=/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore runMode=3 daemonUpdateEngineBrokerServiceName=com.google.Keystone.Daemon.UpdateEngine daemonAdministrationServiceName=com.google.Keystone.Daemon.Administration logEverything=0 logBufferSize=2048 alwaysPromptForUpdates=0 productIDToUpdate=(null) lastUIDisplayed=(null) alwaysShowStatusItem=0 updateCheckTag=(null) printResults=NO userInitiated=NO\u003e", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 22318 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:35:56.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:37:20.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "2016-12-13 12:35:56.416 GoogleSoftwareUpdateAgent[22318/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings: \u003cKSAgentSettings:0x100505750 bundleID=com.google.Keystone.Agent lastCheck=2016-12-13 10:35:32 +0000 checkInterval=18000.000000 uiDisplayInterval=604800.000000 sleepInterval=1800.000000 jitterInterval=900 maxRunInterval=0.000000 isConsoleUser=1 ticketStorePath=/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore runMode=3 daemonUpdateEngineBrokerServiceName=com.google.Keystone.Daemon.UpdateEngine daemonAdministrationServiceName=com.google.Keystone.Daemon.Administration logEverything=0 logBufferSize=2048 alwaysPromptForUpdates=0 productIDToUpdate=(null) lastUIDisplayed=(null) alwaysShowStatusItem=0 updateCheckTag=(null) printResults=NO userInitiated=NO\u003e" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22324])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:37:20.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:37:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f24d0f0 holds 0x2121212121212121 instead of 0x608007423ee0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:37:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:39:28.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60800f24d0f0 holds 0x2121212121212121 instead of 0x608007423ee0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Invoked notification with id: aa608788-d049-4d1a-9112-521c71702371", "process": { "name": "Slack Helper", "pid": 55199 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:39:28.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:41:06.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Invoked notification with id: aa608788-d049-4d1a-9112-521c71702371" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:41:06.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:41:26.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Unknown key for integer: _DirtyJetsamMemoryLimit" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Invoked notification with id: d75f9ec1-a8fd-41c2-a45e-6df2952f0702", "process": { "name": "Slack Helper", "pid": 55199 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:41:26.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:41:30.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Invoked notification with id: d75f9ec1-a8fd-41c2-a45e-6df2952f0702" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22336])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:41:30.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:41:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800a2535a0 holds 0x2121212121212121 instead of 0x608003828e20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:41:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60800a2535a0 holds 0x2121212121212121 instead of 0x608003828e20. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", "process": { "name": "syslogd", "pid": 46 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:41:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:43:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "ASL Sender Statistics" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f241d50 holds 0x2121212121212121 instead of 0x60800562f380. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:43:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:45:41.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60800f241d50 holds 0x2121212121212121 instead of 0x60800562f380. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22348])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:45:41.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:45:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000c444450 holds 0x2121212121212121 instead of 0x600007237f00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:45:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:47:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000c444450 holds 0x2121212121212121 instead of 0x600007237f00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000c4424a0 holds 0x2121212121212121 instead of 0x600007026520. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:47:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:49:13.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000c4424a0 holds 0x2121212121212121 instead of 0x600007026520. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_handle_cache_delete_with_urgency(0x7fc55c429b40, 0, 1)", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:13.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_handle_cache_delete_with_urgency(0x7fc55c429b40, 0, 1)" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_volume_contains_cached_data(is /private/var/db/diagnostics/ in /) - YES", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:13.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_volume_contains_cached_data(is /private/var/db/diagnostics/ in /) - YES" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Purged 0 bytes from log files.", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:13.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Purged 0 bytes from log files." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext enter - 1", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:49:13.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:49:14.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext enter - 1" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext got 1023 UUIDs and 3 slibs from inflight logs", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:14.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext got 1023 UUIDs and 3 slibs from inflight logs" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:49:14.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:49:24.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Unknown key for integer: _DirtyJetsamMemoryLimit" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext got 1303 UUIDs and 3 slibs from inflight and persistent logs", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:24.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext got 1303 UUIDs and 3 slibs from inflight and persistent logs" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext processing shared lib uuid 00000000-0000-0000-0000-000000000000", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:24.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext processing shared lib uuid 00000000-0000-0000-0000-000000000000" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext processing shared lib uuid 519BE6A1-940A-3142-975F-4EF4F41A89B3", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:24.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext processing shared lib uuid 519BE6A1-940A-3142-975F-4EF4F41A89B3" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext processing shared lib uuid C43133F6-64A3-3F65-997F-0E985A66E971", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:24.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext processing shared lib uuid C43133F6-64A3-3F65-997F-0E985A66E971" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext got 2260 UUIDs and 3 slibs from inflight and persistent logs and slibs", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:24.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext got 2260 UUIDs and 3 slibs from inflight and persistent logs and slibs" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 00000000-0000-0000-0000-000000000000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:49:24.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:49:27.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 00000000-0000-0000-0000-000000000000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 1BD0C00C-0885-4C02-B522-D1E9CBDE84E7 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:49:27.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:49:29.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 1BD0C00C-0885-4C02-B522-D1E9CBDE84E7 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 40E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:49:29.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 40E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 60E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 60E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 66A56E12-C69B-4249-BC49-760C03F3700A mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 66A56E12-C69B-4249-BC49-760C03F3700A mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700F0308-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 700F0308-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700F190B-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 700F190B-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700F3C07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 700F3C07-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700F6107-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 700F6107-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700F800A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 700F800A-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700F8102-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 700F8102-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700F9401-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 700F9401-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700FD70E-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 700FD70E-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700FD900-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 700FD900-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700FEE0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 700FEE0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 700FF904-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 700FF904-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701F1C0F-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 701F1C0F-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701F2F0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 701F2F0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701F4C02-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 701F4C02-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701FAE07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 701FAE07-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701FBD0F-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 701FBD0F-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701FE80B-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 701FE80B-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701FEF07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 701FEF07-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701FF700-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 701FF700-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 701FF90D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 701FF90D-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 702F5E0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 702F5E0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 702F6503-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 702F6503-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 702F6B06-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 702F6B06-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 702FEB0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 702FEB0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 702FFC01-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 702FFC01-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 703F0E06-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 703F0E06-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 703F4A0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 703F4A0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 703F8C07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 703F8C07-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 703F9405-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 703F9405-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 703FA300-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 703FA300-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 703FC709-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 703FC709-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 703FD007-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 703FD007-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 703FED05-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 703FED05-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 704F0003-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 704F0003-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { - "process": { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 704F550C-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 704F550C-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 704F750A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 704F750A-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 704F8102-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 704F8102-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 704F8C0C-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 704F8C0C-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 704F8D09-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 704F8D09-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 704FB402-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 704FB402-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 704FBB01-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 704FBB01-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 705F030E-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 705F030E-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 705F2D10-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 705F2D10-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 705F3B01-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 705F3B01-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 705F4E0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 705F4E0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 705FA30D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 705FA30D-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 705FDA05-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 705FDA05-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 705FDF03-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 705FDF03-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 706F5101-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 706F5101-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 706F6300-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 706F6300-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 706F6E05-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 706F6E05-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 706FE207-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 706FE207-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 706FEC00-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 706FEC00-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 706FFB07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 706FFB07-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 707F0907-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 707F0907-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 707F6A04-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 707F6A04-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 707F7B00-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 707F7B00-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { - "process": { - "name": "logd", + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 707F9B0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 707F9B0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 707FAD09-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 707FAD09-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 707FB80A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 707FB80A-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 707FD809-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 707FD809-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 707FE404-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 707FE404-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708F3207-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 708F3207-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708F3402-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 708F3402-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708F3809-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 708F3809-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708F470F-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 708F470F-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708F8A00-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 708F8A00-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708F9F0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 708F9F0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708FB403-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 708FB403-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708FC507-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 708FC507-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708FDC07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 708FDC07-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708FEA0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 708FEA0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 708FFC08-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 708FFC08-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709F1005-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 709F1005-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709F1E0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 709F1E0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709F4C0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 709F4C0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709F5F08-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 709F5F08-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709F6306-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 709F6306-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709F6903-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 709F6903-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709F980E-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 709F980E-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { - "process": { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709FA80C-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 709FA80C-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709FE302-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 709FE302-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709FE808-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 709FE808-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709FE809-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 709FE809-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709FED00-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 709FED00-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709FEF02-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 709FEF02-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 709FEF0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 709FEF0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF070C-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70AF070C-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF2108-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70AF2108-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF270C-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70AF270C-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF390B-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70AF390B-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF4A0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70AF4A0D-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF6D06-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70AF6D06-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF700E-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70AF700E-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF810D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70AF810D-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AF9D02-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70AF9D02-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AFA200-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70AFA200-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AFBE07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70AFBE07-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70AFCC02-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70AFCC02-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BF210E-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70BF210E-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BF4C0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70BF4C0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BF9000-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70BF9000-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BF9302-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70BF9302-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { - "process": { - "name": "logd", + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BFC302-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { + "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70BFC302-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BFD507-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70BFD507-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BFD605-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70BFD605-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BFE302-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70BFE302-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70BFFF03-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70BFFF03-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF0210-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70CF0210-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF0603-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70CF0603-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF0802-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70CF0802-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF180F-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70CF180F-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF1902-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70CF1902-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF4A07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70CF4A07-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF530D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70CF530D-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF590D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70CF590D-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CF770D-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70CF770D-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CFA700-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70CFA700-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CFC804-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70CFC804-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CFE00C-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70CFE00C-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CFEA09-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70CFEA09-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70CFED0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70CFED0B-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70DF4B07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70DF4B07-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70DF7301-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70DF7301-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70DFA303-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70DFA303-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70DFCB0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70DFCB0E-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { - "process": { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70DFDD01-0070-0000-FD68-88C3FF7F0000 mentioned but not found", + "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70DFDD01-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70DFE504-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70DFE504-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EF2F0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70EF2F0A-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EF4609-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70EF4609-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EF5D05-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70EF5D05-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EF7F07-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70EF7F07-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EF8606-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70EF8606-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EFA406-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70EFA406-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EFA60F-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70EFA60F-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EFC606-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70EFC606-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70EFD407-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70EFD407-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70FF0207-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70FF0207-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70FF1E04-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70FF1E04-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70FF6F01-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70FF6F01-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70FF7703-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:31.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70FF7703-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 70FF9708-0070-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:49:31.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:49:32.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 70FF9708-0070-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for 80E8BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:32.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for 80E8BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for A0E8BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:32.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for A0E8BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for A0E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:32.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for A0E9BF5F-FF7F-0000-FD68-88C3FF7F0000 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for B22412E8-3691-4FA9-95EA-C5B9E2A3C572 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:49:32.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:49:33.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for B22412E8-3691-4FA9-95EA-C5B9E2A3C572 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuidtext file for F011D7E8-7633-3668-9455-53893C4F4B33 mentioned but not found", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:33.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuidtext file for F011D7E8-7633-3668-9455-53893C4F4B33 mentioned but not found" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext tree walked", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:33.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext tree walked" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/00/0E757A4E2C3108A74D6C5A996AAAAB", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:33.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/00/0E757A4E2C3108A74D6C5A996AAAAB" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/00/F2131643943190B32FE35236EA4864", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:33.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/00/F2131643943190B32FE35236EA4864" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/06/608E438FDA3E28B9A262F575FE0E75", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:33.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/06/608E438FDA3E28B9A262F575FE0E75" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/09/35918C5C783B8AB2E6B75B12056F3C", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:33.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/09/35918C5C783B8AB2E6B75B12056F3C" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/11/DD409E112F373398E6DA86BF046EC9", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:33.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/11/DD409E112F373398E6DA86BF046EC9" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/14/65FB07456D36EC9EC80462D86BB21B", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:33.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/14/65FB07456D36EC9EC80462D86BB21B" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/18/A779EC17953910996D134A28F5C564", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:49:33.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/18/A779EC17953910996D134A28F5C564" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/19/57E846B04C32FBAD78821B285B0D18", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/19/57E846B04C32FBAD78821B285B0D18" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/1E/79F11C7D5333F1BD0630540535F725", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/1E/79F11C7D5333F1BD0630540535F725" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/1E/9811DDA51A3BE9A4A748AD394DBE73", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/1E/9811DDA51A3BE9A4A748AD394DBE73" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/23/099C5F0A853312A9BD5694C15D228C", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/23/099C5F0A853312A9BD5694C15D228C" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/27/FBA267162735F8B5A6BF29E3A7670E", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/27/FBA267162735F8B5A6BF29E3A7670E" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/39/2980D3CAF73E2A94ED57F74979F1D9", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/39/2980D3CAF73E2A94ED57F74979F1D9" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/3E/67870101A7359F88CCB9BD6681FC93", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/3E/67870101A7359F88CCB9BD6681FC93" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/41/C51F4A33E03ACF86603802C9E6FFDE", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/41/C51F4A33E03ACF86603802C9E6FFDE" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/42/BF3535B92C3272BA41F8A9BC267F3B", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/42/BF3535B92C3272BA41F8A9BC267F3B" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/42/C18E8D6CEE37FF8DCD1390244CF38E", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/42/C18E8D6CEE37FF8DCD1390244CF38E" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/53/4B25B3C583361EADD5CB938678868C", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/53/4B25B3C583361EADD5CB938678868C" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/54/090A60831C3233A4F0022DB86FF8B8", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/54/090A60831C3233A4F0022DB86FF8B8" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/56/8EBEC4BC8230848898534D17830BB6", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/56/8EBEC4BC8230848898534D17830BB6" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/57/58C9F966E631669B74E6625D40C806", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/57/58C9F966E631669B74E6625D40C806" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/5E/F7315AF27B31A6A38D6364704D4FFC", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/5E/F7315AF27B31A6A38D6364704D4FFC" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/5F/2B940389D136F2817A41C784D530CB", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/5F/2B940389D136F2817A41C784D530CB" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/62/196B2A409236898AAD3A1520C53191", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/62/196B2A409236898AAD3A1520C53191" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/65/2D3DB29CBA32E297A65465CBA36B01", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/65/2D3DB29CBA32E297A65465CBA36B01" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/67/58A21E3D2B3620952A68EC384CC1AF", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/67/58A21E3D2B3620952A68EC384CC1AF" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/69/ADA53CBD3A3E31B08CFD85B12D52E1", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/69/ADA53CBD3A3E31B08CFD85B12D52E1" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/72/FB1BBBCA3E30E89802A68B8B2B07F1", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/72/FB1BBBCA3E30E89802A68B8B2B07F1" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/74/702F7027E834ACB0057983649FFB29", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/74/702F7027E834ACB0057983649FFB29" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/75/B25BA663DB34EC9AAC6971BBE817EB", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/75/B25BA663DB34EC9AAC6971BBE817EB" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/75/B88148A6E233F8AFF323294DE561E0", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/75/B88148A6E233F8AFF323294DE561E0" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/76/2702DC49823F9E8292BB022D6BAF84", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/76/2702DC49823F9E8292BB022D6BAF84" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/76/73D347C0F834879F9438D542975A23", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/76/73D347C0F834879F9438D542975A23" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/78/397DF6C0253FD383E4AFAE3DD2E49C", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/78/397DF6C0253FD383E4AFAE3DD2E49C" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/7F/BCC184181A3913ADC50E38F950D098", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/7F/BCC184181A3913ADC50E38F950D098" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/81/12B328744938E1ACF2846B35CD83B4", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/81/12B328744938E1ACF2846B35CD83B4" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/82/3CB803D77334D0B5C759685022D876", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/82/3CB803D77334D0B5C759685022D876" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/8A/860FB569623B81B0511956EC82CEA3", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/8A/860FB569623B81B0511956EC82CEA3" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/90/9D581D35E7358AA75371D3A038142D", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/90/9D581D35E7358AA75371D3A038142D" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/99/AC7E971E8C3319AD0514626D763823", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/99/AC7E971E8C3319AD0514626D763823" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/9A/53817F2101396598311DB81D851FBA", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/9A/53817F2101396598311DB81D851FBA" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/9B/2EB7A3E93A3641B38EAD32B1CBE412", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/9B/2EB7A3E93A3641B38EAD32B1CBE412" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/9F/E64976D7223E7F992BB3287AF23301", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/9F/E64976D7223E7F992BB3287AF23301" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/A7/8C02A56C0F3A9D90CAD8C92842B9A9", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/A7/8C02A56C0F3A9D90CAD8C92842B9A9" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/A9/733CC25E7239F98BC0812C5D7AF135", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/A9/733CC25E7239F98BC0812C5D7AF135" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/AB/450D449D5432C9B30A439A35B29931", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/AB/450D449D5432C9B30A439A35B29931" - }, - { - "process": { - "name": "logd", + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/B0/AF101031AA3188A08CF1517F800B2C", + "process": { + "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/B0/AF101031AA3188A08CF1517F800B2C" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/B4/77C958888B3AB092FD097D2C9A1B13", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/B4/77C958888B3AB092FD097D2C9A1B13" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/B4/BDFB4CAE49386B963E2C7A296B7D20", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/B4/BDFB4CAE49386B963E2C7A296B7D20" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/B5/0CBF2789673C6AB67F80F199CFD499", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/B5/0CBF2789673C6AB67F80F199CFD499" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/B6/41F64AD9923AD19AED8A35325FB04E", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/B6/41F64AD9923AD19AED8A35325FB04E" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/B6/566C8F2EA7349EB2C02647D2F69F97", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/B6/566C8F2EA7349EB2C02647D2F69F97" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/BA/2A57BB4346303EA1E87862E6752057", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/BA/2A57BB4346303EA1E87862E6752057" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/C0/2D31E981553F31B0E9C36C232EE607", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/C0/2D31E981553F31B0E9C36C232EE607" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/C0/E060E4E9373D4D9B4A930D3291F052", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/C0/E060E4E9373D4D9B4A930D3291F052" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/C2/531C46380A3DA489F7752C2FE6AEA0", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/C2/531C46380A3DA489F7752C2FE6AEA0" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/C9/17C064F3903260A7DC304FABDDC3FD", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/C9/17C064F3903260A7DC304FABDDC3FD" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/CD/E2995BDA593F96B16EF1AE92AF31D8", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/CD/E2995BDA593F96B16EF1AE92AF31D8" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/CE/EE9ADE6F813CD78A1308F14010F463", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/CE/EE9ADE6F813CD78A1308F14010F463" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/D1/7E3015AC923AFE89BAFE6411B96431", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/D1/7E3015AC923AFE89BAFE6411B96431" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/D3/AE090906EC3F058A04EE77A574C8B3", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/D3/AE090906EC3F058A04EE77A574C8B3" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/DA/BAD1584258317A8483FE9CF10547BD", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/DA/BAD1584258317A8483FE9CF10547BD" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/DD/CCB6FD639830F39A5D87247D54F616", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/DD/CCB6FD639830F39A5D87247D54F616" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/E1/05E61475463784975FC5278723D08C", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/E1/05E61475463784975FC5278723D08C" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/E1/B515E0321E3B85B90F01D623DC9047", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/E1/B515E0321E3B85B90F01D623DC9047" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/E2/8DBEF43A0A37008A26AE9F016435F3", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/E2/8DBEF43A0A37008A26AE9F016435F3" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/E3/55D24FAC0838679583537F319C7B72", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/E3/55D24FAC0838679583537F319C7B72" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/EF/8522BAF9393808A2E6018507233133", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/EF/8522BAF9393808A2E6018507233133" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext unlinking /var/db/uuidtext/FC/F7262CC2703E32BD3808B2D50C74F0", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext unlinking /var/db/uuidtext/FC/F7262CC2703E32BD3808B2D50C74F0" - }, - { - "process": { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext total: 2209, in_use:2104, marked:23, recent:13, deleted 69", + "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext total: 2209, in_use:2104, marked:23, recent:13, deleted 69" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext slib tree cleaned up (0)", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext slib tree cleaned up (0)" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext uuid tree cleaned up (3)", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext uuid tree cleaned up (3)" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "_purge_uuidtext cleaned up (0)", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:49:34.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "_purge_uuidtext cleaned up (0)" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Purged 5816519 bytes from uuidtext.", "process": { "name": "logd", "pid": 63 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:49:34.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:49:52.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Purged 5816519 bytes from uuidtext." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22360])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:49:52.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:49:57.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x600011443d90 holds 0x2121212121212121 instead of 0x600006e206c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:49:57.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:51:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x600011443d90 holds 0x2121212121212121 instead of 0x600006e206c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800ac568a0 holds 0x2121212121212121 instead of 0x608003630680. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T12:51:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60800ac568a0 holds 0x2121212121212121 instead of 0x608003630680. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", "process": { "name": "syslogd", "pid": 46 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:51:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:53:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "ASL Sender Statistics" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000664ad50 holds 0x2121212121212121 instead of 0x600006c31140. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:53:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:54:03.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000664ad50 holds 0x2121212121212121 instead of 0x600006c31140. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22370])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:54:03.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:55:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x6000060446c0 holds 0x2121212121212121 instead of 0x600006c34d60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:55:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:57:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x6000060446c0 holds 0x2121212121212121 instead of 0x600006c34d60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000c645c20 holds 0x2121212121212121 instead of 0x600002e295c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:57:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:58:14.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000c645c20 holds 0x2121212121212121 instead of 0x600002e295c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[22382])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:58:14.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T12:59:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800fe59330 holds 0x2121212121212121 instead of 0x608004030e80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T12:59:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:01:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60800fe59330 holds 0x2121212121212121 instead of 0x608004030e80. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000ec41a20 holds 0x2121212121212121 instead of 0x600002e2d920. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T13:01:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000ec41a20 holds 0x2121212121212121 instead of 0x600002e2d920. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", "process": { "name": "syslogd", "pid": 46 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:01:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:03:19.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "ASL Sender Statistics" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "BUG in libdispatch client: kevent[EVFILT_MACHPORT] monitored resource vanished before the source cancel handler was invoked", "process": { "name": "Preview", "pid": 24046 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:03:19.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:03:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "BUG in libdispatch client: kevent[EVFILT_MACHPORT] monitored resource vanished before the source cancel handler was invoked" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x608007645da0 holds 0x2121212121212121 instead of 0x6080044252a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:03:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:05:26.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x608007645da0 holds 0x2121212121212121 instead of 0x6080044252a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25276])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:05:26.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:05:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000c643b20 holds 0x2121212121212121 instead of 0x6000036340a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:05:58.000-02:00", - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "a-mac-with-esc-key" + } + }, + { + "@timestamp": "2022-12-13T13:07:26.000-02:00", + "ecs": { + "version": "8.0.0" }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000c643b20 holds 0x2121212121212121 instead of 0x6000036340a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Invoked notification with id: 7cc1869b-ba48-4307-8474-0bc68cd9c71d", "process": { "name": "Slack Helper", "pid": 55199 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:07:26.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:07:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Invoked notification with id: 7cc1869b-ba48-4307-8474-0bc68cd9c71d" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x600007852ee0 holds 0x2121212121212121 instead of 0x600006a22780. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:07:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:09:37.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x600007852ee0 holds 0x2121212121212121 instead of 0x600006a22780. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25878])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:09:37.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:09:49.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:09:49.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:13:48.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Unknown key for integer: _DirtyJetsamMemoryLimit" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25888])" }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T13:13:48.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", "process": { "name": "syslogd", "pid": 46 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:13:48.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:13:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "ASL Sender Statistics" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60001125b6a0 holds 0x2121212121212121 instead of 0x600007234ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:13:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:15:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60001125b6a0 holds 0x2121212121212121 instead of 0x600007234ce0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x600006a41480 holds 0x2121212121212121 instead of 0x600003a2e920. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:15:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:17:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x600006a41480 holds 0x2121212121212121 instead of 0x600003a2e920. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x600005a46cd0 holds 0x2121212121212121 instead of 0x60000582bd00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:17:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:17:59.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x600005a46cd0 holds 0x2121212121212121 instead of 0x60000582bd00. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25896])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:17:59.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:19:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800ee5b730 holds 0x2121212121212121 instead of 0x6080072264c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:19:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:21:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60800ee5b730 holds 0x2121212121212121 instead of 0x6080072264c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f65cb10 holds 0x2121212121212121 instead of 0x6080046351c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:21:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:22:10.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60800f65cb10 holds 0x2121212121212121 instead of 0x6080046351c0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25914])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:22:10.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:23:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x600008c56780 holds 0x2121212121212121 instead of 0x600006624600. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T13:23:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x600008c56780 holds 0x2121212121212121 instead of 0x600006624600. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", "process": { "name": "syslogd", "pid": 46 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:23:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:25:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "ASL Sender Statistics" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f65d7a0 holds 0x2121212121212121 instead of 0x608003a3d9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:25:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:26:21.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60800f65d7a0 holds 0x2121212121212121 instead of 0x608003a3d9a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25923])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:26:21.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:27:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000785e8e0 holds 0x2121212121212121 instead of 0x600006622ba0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:27:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:29:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000785e8e0 holds 0x2121212121212121 instead of 0x600006622ba0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60801005a980 holds 0x2121212121212121 instead of 0x608001a3f8a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:29:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:30:33.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60801005a980 holds 0x2121212121212121 instead of 0x608001a3f8a0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[25940])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:30:33.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:31:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000d6588b0 holds 0x2121212121212121 instead of 0x600002a3dd60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:31:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:32:28.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000d6588b0 holds 0x2121212121212121 instead of 0x600002a3dd60. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Unknown key for integer: _DirtyJetsamMemoryLimit", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.imfoundation.IMRemoteURLConnectionAgent)" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:32:28.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:33:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Unknown key for integer: _DirtyJetsamMemoryLimit" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60800f459990 holds 0x2121212121212121 instead of 0x60800463e7e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2022-12-13T13:33:58.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60800f459990 holds 0x2121212121212121 instead of 0x60800463e7e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "ASL Sender Statistics", "process": { "name": "syslogd", "pid": 46 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:33:58.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:34:44.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "ASL Sender Statistics" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook", "process": { "name": "com.apple.xpc.launchd[1] (com.apple.quicklook[26381])" }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:34:44.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:35:59.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.quicklook" - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "objc[85294]: __weak variable at 0x60000be429b0 holds 0x2121212121212121 instead of 0x600003c325e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug.", "process": { "name": "Google Chrome", "pid": 85294 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:35:59.000-02:00", + } + }, + { + "@timestamp": "2022-12-13T13:36:19.000-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "a-mac-with-esc-key" - }, "event": { "timezone": "GMT-0200" }, - "message": "objc[85294]: __weak variable at 0x60000be429b0 holds 0x2121212121212121 instead of 0x600003c325e0. This is probably incorrect use of objc_storeWeak() and objc_loadWeak(). Break on objc_weak_error to debug." - }, - { + "host": { + "hostname": "a-mac-with-esc-key" + }, + "message": "2016-12-13 13:36:19.906 GoogleSoftwareUpdateAgent[27321/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings: \u003cKSAgentSettings:0x100228060 bundleID=com.google.Keystone.Agent lastCheck=2016-12-13 10:35:32 +0000 checkInterval=18000.000000 uiDisplayInterval=604800.000000 sleepInterval=1800.000000 jitterInterval=900 maxRunInterval=0.000000 isConsoleUser=1 ticketStorePath=/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore runMode=3 daemonUpdateEngineBrokerServiceName=com.google.Keystone.Daemon.UpdateEngine daemonAdministrationServiceName=com.google.Keystone.Daemon.Administration logEverything=0 logBufferSize=2048 alwaysPromptForUpdates=0 productIDToUpdate=(null) lastUIDisplayed=(null) alwaysShowStatusItem=0 updateCheckTag=(null) printResults=NO userInitiated=NO\u003e", "process": { "name": "GoogleSoftwareUpdateAgent", "pid": 27321 }, "system": { "syslog": {} - }, - "@timestamp": "2022-12-13T13:36:19.000-02:00", - "ecs": { - "version": "8.0.0" - }, - "host": { - "hostname": "a-mac-with-esc-key" - }, - "event": { - "timezone": "GMT-0200" - }, - "message": "2016-12-13 13:36:19.906 GoogleSoftwareUpdateAgent[27321/0x7fffcc3f93c0] [lvl=2] -[KSAgentApp setupLoggerOutput] Agent settings: \u003cKSAgentSettings:0x100228060 bundleID=com.google.Keystone.Agent lastCheck=2016-12-13 10:35:32 +0000 checkInterval=18000.000000 uiDisplayInterval=604800.000000 sleepInterval=1800.000000 jitterInterval=900 maxRunInterval=0.000000 isConsoleUser=1 ticketStorePath=/Users/tsg/Library/Google/GoogleSoftwareUpdate/TicketStore/Keystone.ticketstore runMode=3 daemonUpdateEngineBrokerServiceName=com.google.Keystone.Daemon.UpdateEngine daemonAdministrationServiceName=com.google.Keystone.Daemon.Administration logEverything=0 logBufferSize=2048 alwaysPromptForUpdates=0 productIDToUpdate=(null) lastUIDisplayed=(null) alwaysShowStatusItem=0 updateCheckTag=(null) printResults=NO userInitiated=NO\u003e" + } } ] } \ No newline at end of file diff --git a/packages/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-expected.json b/packages/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-expected.json index 87a7c51513b..77d9520b98d 100644 --- a/packages/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-expected.json +++ b/packages/system/data_stream/syslog/_dev/test/pipeline/test-suse-syslog.log-expected.json @@ -1,44 +1,44 @@ { "expected": [ { - "process": { - "name": "systemd", - "pid": 4179 - }, - "system": { - "syslog": {} - }, "@timestamp": "2018-08-14T10:30:02.203-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "linux-sqrz" - }, "event": { "timezone": "GMT-0200" }, - "message": "Stopped target Basic System." - }, - { + "host": { + "hostname": "linux-sqrz" + }, + "message": "Stopped target Basic System.", "process": { "name": "systemd", "pid": 4179 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2018-08-14T10:30:02.203-02:00", "ecs": { "version": "8.0.0" }, + "event": { + "timezone": "GMT-0200" + }, "host": { "hostname": "linux-sqrz" }, - "event": { - "timezone": "GMT-0200" + "message": "Stopped target Paths.", + "process": { + "name": "systemd", + "pid": 4179 }, - "message": "Stopped target Paths." + "system": { + "syslog": {} + } } ] } \ No newline at end of file diff --git a/packages/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-expected.json b/packages/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-expected.json index 68dba0d6438..1b798f2ada8 100644 --- a/packages/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-expected.json +++ b/packages/system/data_stream/syslog/_dev/test/pipeline/test-tz-offset.log-expected.json @@ -1,65 +1,65 @@ { "expected": [ { - "process": { - "name": "shutdown", - "pid": 2649 - }, - "system": { - "syslog": {} - }, "@timestamp": "1986-04-25T19:23:45.101-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "rmbkmonitor04" - }, "event": { "kind": "event", "timezone": "GMT-0200" }, - "message": "shutting down for system halt" - }, - { + "host": { + "hostname": "rmbkmonitor04" + }, + "message": "shutting down for system halt", "process": { - "name": "thermald" + "name": "shutdown", + "pid": 2649 }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "1986-04-25T19:23:45.388-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "rmbkmonitor04" - }, "event": { "kind": "event", "timezone": "GMT-0200" }, - "message": "constraint_0_power_limit_uw exceeded." - }, - { + "host": { + "hostname": "rmbkmonitor04" + }, + "message": "constraint_0_power_limit_uw exceeded.", "process": { - "name": "sudo" + "name": "thermald" }, "system": { "syslog": {} - }, + } + }, + { "@timestamp": "2019-06-14T10:40:20.912-02:00", "ecs": { "version": "8.0.0" }, - "host": { - "hostname": "localhost" - }, "event": { "kind": "event", "timezone": "GMT-0200" }, - "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)" + "host": { + "hostname": "localhost" + }, + "message": "pam_unix(sudo-i:session): session opened for user root by userauth3(uid=0)", + "process": { + "name": "sudo" + }, + "system": { + "syslog": {} + } } ] } \ No newline at end of file diff --git a/packages/system/docs/README.md b/packages/system/docs/README.md index 13858196b6a..5ccfc382669 100644 --- a/packages/system/docs/README.md +++ b/packages/system/docs/README.md @@ -514,7 +514,7 @@ An example event for `security` looks as following: | event.dataset | Event dataset. | constant_keyword | | event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | -| event.module | Event module | constant_keyword | +| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | keyword | | event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.provider | Source of the event. Event transports such as Syslog or the Windows Event Log typically mention the source of an event. It can be the name of the software that generated the event (e.g. Sysmon, httpd), or of a subsystem of the operating system (kernel, Microsoft-Windows-Security-Auditing). | keyword | | event.sequence | Sequence number of the event. The sequence number is a value published by some event sources, to make the exact ordering of events unambiguous, regardless of the timestamp precision. | long | @@ -556,6 +556,7 @@ An example event for `security` looks as following: | process.parent.executable.text | Multi-field of `process.parent.executable`. | match_only_text | | process.parent.name | Process name. Sometimes called program name or similar. | keyword | | process.parent.name.text | Multi-field of `process.parent.name`. | match_only_text | +| process.parent.pid | Process id. | long | | process.pid | Process id. | long | | process.title | Process title. The proctitle, some times the same as process name. Can also be different: for example a browser setting its title to the web page currently opened. | keyword | | process.title.text | Multi-field of `process.title`. | match_only_text | diff --git a/packages/system/manifest.yml b/packages/system/manifest.yml index 441a8a94002..d17da1b846a 100644 --- a/packages/system/manifest.yml +++ b/packages/system/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: system title: System -version: 1.12.1 +version: 1.13.0 license: basic description: Collect system logs and metrics from your servers with Elastic Agent. type: integration diff --git a/packages/windows/changelog.yml b/packages/windows/changelog.yml index 0610e39a867..2d3677e48d9 100644 --- a/packages/windows/changelog.yml +++ b/packages/windows/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.11.0" + changes: + - description: Add parent process ID to security event for new process creation. + type: enhancement + link: https://github.com/elastic/integrations/pull/2966 - version: "1.10.1" changes: - description: Add documentation for multi-fields diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-events.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-powershell-operational-events.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1100.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1102.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1104.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1105.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1105.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-1105.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4670-windowssrv2016.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4670-windowssrv2016.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4670-windowssrv2016.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4706-windowssrv2016.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4706-windowssrv2016.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4706-windowssrv2016.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4707-windowssrv2016.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4707-windowssrv2016.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4707-windowssrv2016.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4713-windowssrv2016.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4713-windowssrv2016.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4713-windowssrv2016.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4716-windowssrv2016.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4716-windowssrv2016.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4716-windowssrv2016.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4717-windowssrv2016.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4717-windowssrv2016.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4717-windowssrv2016.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4718-windowssrv2016.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4718-windowssrv2016.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4718-windowssrv2016.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719-windowssrv2016.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719-windowssrv2016.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719-windowssrv2016.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4719.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4739-windowssrv2016.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4739-windowssrv2016.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4739-windowssrv2016.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4743.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4744.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4745.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4746.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4747.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4748.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4749.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4750.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4751.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4752.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4753.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4759.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4760.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4761.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4762.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4763.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4817-windowssrv2016.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4817-windowssrv2016.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4817-windowssrv2016.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4902-windowssrv2016.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4902-windowssrv2016.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4902-windowssrv2016.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4904-windowssrv2016.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4904-windowssrv2016.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4904-windowssrv2016.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4905-windowssrv2016.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4905-windowssrv2016.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4905-windowssrv2016.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4906-windowssrv2016.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4906-windowssrv2016.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4906-windowssrv2016.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4907-windowssrv2016.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4907-windowssrv2016.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-4907-windowssrv2016.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4673.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4673.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4673.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4697.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4697.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4697.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4768.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4769.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4770.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4771.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4776.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4776.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4776.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4778.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4778.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4778.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4779.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4779.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012-4779.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2012r2-logon.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4722-account-enabled.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4723-password-change.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4724-password-reset.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4725-account-disabled.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4726-account-deleted.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4727.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4728.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4729.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4730.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4731.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4732.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4733.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4734.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4735.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4737.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4738-account-changed.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4740-account-locked-out.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4754.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4755.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4756.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4757.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4758.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4764.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4767-account-unlocked.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4781-account-renamed.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4798.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-4799.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2016-logoff.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json index fd643b3d8d1..56356556f68 100644 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json +++ b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4688-process-created.json-expected.json @@ -45,7 +45,8 @@ "name": "wevtutil.exe", "parent": { "executable": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", - "name": "powershell.exe" + "name": "powershell.exe", + "pid": 4652 }, "pid": 4556 }, diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-security-windows2019-4689-process-exited.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-config.yml b/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/forwarded/_dev/test/pipeline/test-sysmon-operational-events.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml index 2ff78391457..3f42b128e9a 100644 --- a/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml +++ b/packages/windows/data_stream/forwarded/elasticsearch/ingest_pipeline/security.yml @@ -2698,6 +2698,22 @@ processors: def parts = ctx.process.parent.executable.splitOnToken("\\"); ctx.process.parent.put("name", parts[-1]); } + if (ctx?.winlog?.event_data?.ProcessId != null) { + if (ctx?.process == null) { + HashMap hm = new HashMap(); + ctx.put("process", hm); + } + if (ctx?.process?.parent == null) { + HashMap hm = new HashMap(); + ctx.process.put("parent", hm); + } + if (ctx.winlog.event_data.ProcessId instanceof String) { + Long pid = Long.decode(ctx.winlog.event_data.ProcessId); + ctx.process.parent.put("pid", pid.longValue()); + } else { + ctx.process.parent.put("pid", ctx.winlog.event_data.ProcessId); + } + } if (ctx?.winlog?.event_data?.CommandLine != null) { int start = 0; int end = 0; diff --git a/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-config.yml b/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json index cf627331c69..55c5f7a6ce9 100644 --- a/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/powershell/_dev/test/pipeline/test-events.json-expected.json @@ -1,121 +1,172 @@ { "expected": [ { + "@timestamp": "2020-05-13T13:21:43.183Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": "process", + "code": "600", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "PowerShell", + "sequence": 35, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" + }, + "powershell": { + "engine": { + "version": "5.1.17763.1007" + }, + "pipeline_id": "15", + "process": { + "executable_version": "5.1.17763.1007" + }, + "provider": { + "name": "Certificate", + "new_state": "Started" + }, + "runspace_id": "9d21da0b-e402-40e1-92ff-98c5ab1137a9" + }, "process": { "args": [ "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe", "C:\\Users\\vagrant\\Desktop\\lateral.ps1" ], "args_count": 2, + "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1", "entity_id": "86edc16f-6943-469e-8bd8-ef1857080206", - "title": "Windows PowerShell ISE Host", - "command_line": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1" + "title": "Windows PowerShell ISE Host" }, - "@timestamp": "2020-05-13T13:21:43.183Z", + "tags": [ + "forwarded" + ], "winlog": { "channel": "Windows PowerShell", "computer_name": "vagrant", - "record_id": "1089", "event_id": "600", "keywords": [ "Classic" ], - "provider_name": "PowerShell" - }, + "provider_name": "PowerShell", + "record_id": "1089" + } + }, + { + "@timestamp": "2020-05-14T07:00:30.891Z", "ecs": { "version": "8.0.0" }, + "event": { + "category": "process", + "code": "400", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T07:00:30.891423500Z'/\u003e\u003cEventRecordID\u003e1492\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T07:01:14.371507600Z'/\u003e\u003cEventRecordID\u003e1511\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=83c6a631-910d-4530-bec2-18b2d0fc380a\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=056a5045-a7bb-49c6-9a9d-2ea95acea751\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:32:51.989256800Z'/\u003e\u003cEventRecordID\u003e1579\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=24067d05-e98a-4fbb-9cda-020e4c65017d\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:20:27.747227500Z'/\u003e\u003cEventRecordID\u003e18591\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "PowerShell", + "sequence": 13, + "type": "start" + }, + "host": { + "name": "vagrant" + }, "log": { "level": "information" }, "powershell": { - "pipeline_id": "15", - "process": { - "executable_version": "5.1.17763.1007" - }, - "provider": { - "name": "Certificate", - "new_state": "Started" - }, "engine": { + "new_state": "Available", + "previous_state": "None", "version": "5.1.17763.1007" }, - "runspace_id": "9d21da0b-e402-40e1-92ff-98c5ab1137a9" - }, - "host": { - "name": "vagrant" - }, - "event": { - "sequence": 35, - "ingested": "2022-01-12T05:21:30.519545468Z", - "code": "600", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:21:43.183180900Z'/\u003e\u003cEventRecordID\u003e1089\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=35\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=86edc16f-6943-469e-8bd8-ef1857080206\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\lateral.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=9d21da0b-e402-40e1-92ff-98c5ab1137a9\n\tPipelineId=15\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T13:25:04.656426900Z'/\u003e\u003cEventRecordID\u003e1266\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eRegistry\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Registry\n\tNewProviderState=Started\n\n\tSequenceNumber=1\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=44b8d66c-f5a2-4abb-ac7d-6db73990a6d3\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e600\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e6\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:25:04.857430200Z'/\u003e\u003cEventRecordID\u003e18640\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eCertificate\u003c/Data\u003e\u003cData\u003eStarted\u003c/Data\u003e\u003cData\u003e\tProviderName=Certificate\n\tNewProviderState=Started\n\n\tSequenceNumber=8\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=99a16837-7392-463d-afe5-5f3ed24bd358\n\tEngineVersion=\n\tRunspaceId=\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "PowerShell", - "kind": "event", - "category": "process", - "type": "info" + "process": { + "executable_version": "1.0.0.0" + }, + "runspace_id": "405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2" }, - "tags": [ - "forwarded" - ] - }, - { "process": { "args": [ "C:\\Windows\\system32\\wsmprovhost.exe", "-Embedding" ], "args_count": 2, + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", "entity_id": "2458050c-5e21-47a6-bbdf-41ef2151b519", - "title": "ServerRemoteHost", - "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding" + "title": "ServerRemoteHost" }, - "@timestamp": "2020-05-14T07:00:30.891Z", + "tags": [ + "forwarded" + ], "winlog": { "channel": "Windows PowerShell", "computer_name": "vagrant", - "record_id": "1492", "event_id": "400", "keywords": [ "Classic" ], - "provider_name": "PowerShell" - }, + "provider_name": "PowerShell", + "record_id": "1492" + } + }, + { + "@timestamp": "2020-02-26T09:37:40.487Z", "ecs": { "version": "8.0.0" }, + "event": { + "category": "process", + "code": "800", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-02-26T09:37:40.487241500Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant-2019\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e Add-Type -AssemblyName System.IO.Compression.FileSystem\n\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=17\n\n\tUserId=VAGRANT-2019\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=ac3c99ce-7983-4996-807e-6a689eaba50b\n\tHostApplication=powershell -executionpolicy bypass \u0026amp; { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026amp;'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6a447a2c-693e-4d41-948d-129b455b2569\n\tPipelineId=1\n\tScriptName=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1\n\tCommandLine= Add-Type -AssemblyName System.IO.Compression.FileSystem\n\u003c/Data\u003e\u003cData\u003eCommandInvocation(Add-Type): \"Add-Type\"\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.IO.Compression.FileSystem\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.376993100Z'/\u003e\u003cEventRecordID\u003e1843\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e\u0026amp; { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=135\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u0026amp; { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }\u003c/Data\u003e\u003cData\u003eCommandInvocation(Set-StrictMode): \"Set-StrictMode\"\nParameterBinding(Set-StrictMode): name=\"Version\"; value=\"1.0\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.393089000Z'/\u003e\u003cEventRecordID\u003e1846\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eImport-LocalizedData LocalizedData -filename ArchiveResources\n\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=141\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=Import-LocalizedData LocalizedData -filename ArchiveResources\n\u003c/Data\u003e\u003cData\u003eCommandInvocation(Import-LocalizedData): \"Import-LocalizedData\"\nParameterBinding(Import-LocalizedData): name=\"FileName\"; value=\"ArchiveResources\"\nParameterBinding(Import-LocalizedData): name=\"BindingVariable\"; value=\"LocalizedData\"\nNonTerminatingError(Import-LocalizedData): \"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.393089000Z'/\u003e\u003cEventRecordID\u003e1847\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u003c/Data\u003e\u003cData\u003eCommandInvocation(Out-Default): \"Out-Default\"\nParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "PowerShell", + "sequence": 17, + "type": "info" + }, + "file": { + "directory": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", + "extension": "psm1", + "name": "Microsoft.PowerShell.Archive.psm1", + "path": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1" + }, + "host": { + "name": "vagrant-2019" + }, "log": { "level": "information" }, "powershell": { + "command": { + "invocation_details": [ + { + "related_command": "Add-Type", + "type": "CommandInvocation", + "value": "\"Add-Type\"" + }, + { + "name": "\"AssemblyName\"", + "related_command": "Add-Type", + "type": "ParameterBinding", + "value": "\"System.IO.Compression.FileSystem\"" + } + ], + "value": " Add-Type -AssemblyName System.IO.Compression.FileSystem" + }, "engine": { - "new_state": "Available", - "version": "5.1.17763.1007", - "previous_state": "None" + "version": "5.1.17763.1007" }, + "pipeline_id": "1", "process": { - "executable_version": "1.0.0.0" + "executable_version": "5.1.17763.1007" }, - "runspace_id": "405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2" - }, - "host": { - "name": "vagrant" - }, - "event": { - "sequence": 13, - "ingested": "2022-01-12T05:21:30.519547354Z", - "code": "400", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T07:00:30.891423500Z'/\u003e\u003cEventRecordID\u003e1492\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=2458050c-5e21-47a6-bbdf-41ef2151b519\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=405e84eb-9ca3-40d8-a4da-cf6ed1b38ed2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T07:01:14.371507600Z'/\u003e\u003cEventRecordID\u003e1511\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=83c6a631-910d-4530-bec2-18b2d0fc380a\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=056a5045-a7bb-49c6-9a9d-2ea95acea751\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:32:51.989256800Z'/\u003e\u003cEventRecordID\u003e1579\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=13\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=f3d0acd6-4ec1-4e0a-9c8e-27ee07eec3ab\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe C:\\Users\\vagrant\\Desktop\\patata.ps1\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=24067d05-e98a-4fbb-9cda-020e4c65017d\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e400\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:20:27.747227500Z'/\u003e\u003cEventRecordID\u003e18591\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003eNone\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Available\n\tPreviousEngineState=None\n\n\tSequenceNumber=9\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "PowerShell", - "kind": "event", - "category": "process", - "type": "start" + "runspace_id": "6a447a2c-693e-4d41-948d-129b455b2569", + "sequence": 1, + "total": 1 }, - "tags": [ - "forwarded" - ] - }, - { "process": { "args": [ "powershell", @@ -137,141 +188,86 @@ "}" ], "args_count": 17, + "command_line": "powershell -executionpolicy bypass \u0026 { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }", "entity_id": "ac3c99ce-7983-4996-807e-6a689eaba50b", - "title": "ConsoleHost", - "command_line": "powershell -executionpolicy bypass \u0026 { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }" - }, - "winlog": { - "channel": "Windows PowerShell", - "computer_name": "vagrant-2019", - "record_id": "191", - "event_id": "800", - "keywords": [ - "Classic" - ], - "provider_name": "PowerShell" - }, - "log": { - "level": "information" - }, - "tags": [ - "forwarded" - ], - "@timestamp": "2020-02-26T09:37:40.487Z", - "file": { - "name": "Microsoft.PowerShell.Archive.psm1", - "path": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1", - "extension": "psm1", - "directory": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive" - }, - "ecs": { - "version": "8.0.0" + "title": "ConsoleHost" }, "related": { "user": [ "vagrant" ] }, - "powershell": { - "sequence": 1, - "total": 1, - "process": { - "executable_version": "5.1.17763.1007" - }, - "engine": { - "version": "5.1.17763.1007" - }, - "runspace_id": "6a447a2c-693e-4d41-948d-129b455b2569", - "pipeline_id": "1", - "command": { - "value": " Add-Type -AssemblyName System.IO.Compression.FileSystem", - "invocation_details": [ - { - "related_command": "Add-Type", - "type": "CommandInvocation", - "value": "\"Add-Type\"" - }, - { - "related_command": "Add-Type", - "name": "\"AssemblyName\"", - "type": "ParameterBinding", - "value": "\"System.IO.Compression.FileSystem\"" - } - ] - } - }, - "host": { - "name": "vagrant-2019" - }, - "event": { - "sequence": 17, - "ingested": "2022-01-12T05:21:30.519547795Z", - "code": "800", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-02-26T09:37:40.487241500Z'/\u003e\u003cEventRecordID\u003e191\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant-2019\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e Add-Type -AssemblyName System.IO.Compression.FileSystem\n\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=17\n\n\tUserId=VAGRANT-2019\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=ac3c99ce-7983-4996-807e-6a689eaba50b\n\tHostApplication=powershell -executionpolicy bypass \u0026amp; { if (Test-Path variable:global:ProgressPreference){set-variable -name variable:global:ProgressPreference -value 'SilentlyContinue'};. c:/Windows/Temp/packer-ps-env-vars-5e5637dd-15a9-73e0-889a-c01f541a8bc6.ps1; \u0026amp;'c:/Windows/Temp/script-5e5637dd-5626-019d-027a-02e78baaacc9.ps1'; exit $LastExitCode }\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6a447a2c-693e-4d41-948d-129b455b2569\n\tPipelineId=1\n\tScriptName=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psm1\n\tCommandLine= Add-Type -AssemblyName System.IO.Compression.FileSystem\n\u003c/Data\u003e\u003cData\u003eCommandInvocation(Add-Type): \"Add-Type\"\nParameterBinding(Add-Type): name=\"AssemblyName\"; value=\"System.IO.Compression.FileSystem\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.376993100Z'/\u003e\u003cEventRecordID\u003e1843\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e\u0026amp; { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=135\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u0026amp; { Set-StrictMode -Version 1; $this.Exception.InnerException.PSMessageDetails }\u003c/Data\u003e\u003cData\u003eCommandInvocation(Set-StrictMode): \"Set-StrictMode\"\nParameterBinding(Set-StrictMode): name=\"Version\"; value=\"1.0\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.393089000Z'/\u003e\u003cEventRecordID\u003e1846\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eImport-LocalizedData LocalizedData -filename ArchiveResources\n\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=141\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=Import-LocalizedData LocalizedData -filename ArchiveResources\n\u003c/Data\u003e\u003cData\u003eCommandInvocation(Import-LocalizedData): \"Import-LocalizedData\"\nParameterBinding(Import-LocalizedData): name=\"FileName\"; value=\"ArchiveResources\"\nParameterBinding(Import-LocalizedData): name=\"BindingVariable\"; value=\"LocalizedData\"\nNonTerminatingError(Import-LocalizedData): \"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e800\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e8\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:33:26.393089000Z'/\u003e\u003cEventRecordID\u003e1847\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003e\u003c/Data\u003e\u003cData\u003e\tDetailSequence=1\n\tDetailTotal=1\n\n\tSequenceNumber=143\n\n\tUserId=VAGRANT\\vagrant\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=aae5217d-054f-435f-9968-4b5bebf12116\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=a87e8389-57c7-4997-95ff-f82f644965bf\n\tPipelineId=71\n\tScriptName=\n\tCommandLine=\u003c/Data\u003e\u003cData\u003eCommandInvocation(Out-Default): \"Out-Default\"\nParameterBinding(Out-Default): name=\"InputObject\"; value=\"Cannot find the Windows PowerShell data file 'ArchiveResources.psd1' in directory 'C:\\Gopath\\src\\github.com\\elastic\\beats\\x-pack\\winlogbeat\\en-US\\', or in any parent culture directories.\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "PowerShell", - "kind": "event", - "category": "process", - "type": "info" - }, + "tags": [ + "forwarded" + ], "user": { - "name": "vagrant", - "domain": "VAGRANT-2019" - } - }, - { - "process": { - "args": [ - "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe" - ], - "args_count": 1, - "entity_id": "1929aa68-472a-404a-8ead-96bd7b49f2db", - "title": "Windows PowerShell ISE Host", - "command_line": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe" + "domain": "VAGRANT-2019", + "name": "vagrant" }, - "@timestamp": "2020-05-14T15:31:22.426Z", "winlog": { "channel": "Windows PowerShell", - "computer_name": "vagrant", - "record_id": "1687", - "event_id": "403", + "computer_name": "vagrant-2019", + "event_id": "800", "keywords": [ "Classic" ], - "provider_name": "PowerShell" - }, + "provider_name": "PowerShell", + "record_id": "191" + } + }, + { + "@timestamp": "2020-05-14T15:31:22.426Z", "ecs": { "version": "8.0.0" }, + "event": { + "category": "process", + "code": "403", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T15:31:22.426923800Z'/\u003e\u003cEventRecordID\u003e1687\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=33\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=1929aa68-472a-404a-8ead-96bd7b49f2db\n\tHostApplication=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6f14a54e-5992-42dd-b38c-68830a28b1b6\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.932007000Z'/\u003e\u003cEventRecordID\u003e1706\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=ed57761b-ba0f-4d11-87d9-fac33820d20e\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=0729459a-8646-4176-8b02-024421a9632e\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:28:53.626698200Z'/\u003e\u003cEventRecordID\u003e1766\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=f9cd0d65-6665-4b88-9142-f03a2d20f8b8\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -encodedCommand IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA= -inputFormat xml -outputFormat text\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=8228a4bd-3125-4d1a-997b-3a4df8c085f2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:20:28.686193900Z'/\u003e\u003cEventRecordID\u003e18592\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=10\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "PowerShell", + "sequence": 33, + "type": "end" + }, + "host": { + "name": "vagrant" + }, "log": { "level": "information" }, "powershell": { "engine": { "new_state": "Stopped", - "version": "5.1.17763.1007", - "previous_state": "Available" + "previous_state": "Available", + "version": "5.1.17763.1007" }, "process": { "executable_version": "5.1.17763.1007" }, "runspace_id": "6f14a54e-5992-42dd-b38c-68830a28b1b6" }, - "host": { - "name": "vagrant" - }, - "event": { - "sequence": 33, - "ingested": "2022-01-12T05:21:30.519548146Z", - "code": "403", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T15:31:22.426923800Z'/\u003e\u003cEventRecordID\u003e1687\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=33\n\n\tHostName=Windows PowerShell ISE Host\n\tHostVersion=5.1.17763.1007\n\tHostId=1929aa68-472a-404a-8ead-96bd7b49f2db\n\tHostApplication=C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=6f14a54e-5992-42dd-b38c-68830a28b1b6\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.932007000Z'/\u003e\u003cEventRecordID\u003e1706\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ServerRemoteHost\n\tHostVersion=1.0.0.0\n\tHostId=ed57761b-ba0f-4d11-87d9-fac33820d20e\n\tHostApplication=C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=0729459a-8646-4176-8b02-024421a9632e\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:28:53.626698200Z'/\u003e\u003cEventRecordID\u003e1766\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=37\n\n\tHostName=ConsoleHost\n\tHostVersion=5.1.17763.1007\n\tHostId=f9cd0d65-6665-4b88-9142-f03a2d20f8b8\n\tHostApplication=C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -executionpolicy bypass -encodedCommand IABpAGYAIAAoAFQAZQBzAHQALQBQAGEAdABoACAAdgBhAHIAaQBhAGIAbABlADoAZwBsAG8AYgBhAGwAOgBQAHIAbwBnAHIAZQBzAHMAUAByAGUAZgBlAHIAZQBuAGMAZQApAHsAcwBlAHQALQB2AGEAcgBpAGEAYgBsAGUAIAAtAG4AYQBtAGUAIAB2AGEAcgBpAGEAYgBsAGUAOgBnAGwAbwBiAGEAbAA6AFAAcgBvAGcAcgBlAHMAcwBQAHIAZQBmAGUAcgBlAG4AYwBlACAALQB2AGEAbAB1AGUAIAAnAFMAaQBsAGUAbgB0AGwAeQBDAG8AbgB0AGkAbgB1AGUAJwB9ADsALgAgAGMAOgAvAFcAaQBuAGQAbwB3AHMALwBUAGUAbQBwAC8AcABhAGMAawBlAHIALQBwAHMALQBlAG4AdgAtAHYAYQByAHMALQA1AGUANQA2ADMANwBkAGQALQAxADUAYQA5AC0ANwAzAGUAMAAtADgAOAA5AGEALQBjADAAMQBmADUANAAxAGEAOABiAGMANgAuAHAAcwAxADsAIAAmACcAYwA6AC8AVwBpAG4AZABvAHcAcwAvAFQAZQBtAHAALwBzAGMAcgBpAHAAdAAtADUAZQA1ADYAMwA3AGQAZAAtADUANgAyADYALQAwADEAOQBkAC0AMAAyADcAYQAtADAAMgBlADcAOABiAGEAYQBhAGMAYwA5AC4AcABzADEAJwA7ACAAZQB4AGkAdAAgACQATABhAHMAdABFAHgAaQB0AEMAbwBkAGUAIAA= -inputFormat xml -outputFormat text\n\tEngineVersion=5.1.17763.1007\n\tRunspaceId=8228a4bd-3125-4d1a-997b-3a4df8c085f2\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='PowerShell'/\u003e\u003cEventID Qualifiers='0'\u003e403\u003c/EventID\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e4\u003c/Task\u003e\u003cKeywords\u003e0x80000000000000\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-06-04T07:20:28.686193900Z'/\u003e\u003cEventRecordID\u003e18592\u003c/EventRecordID\u003e\u003cChannel\u003eWindows PowerShell\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData\u003eStopped\u003c/Data\u003e\u003cData\u003eAvailable\u003c/Data\u003e\u003cData\u003e\tNewEngineState=Stopped\n\tPreviousEngineState=Available\n\n\tSequenceNumber=10\n\n\tHostName=ConsoleHost\n\tHostVersion=2.0\n\tHostId=7018c049-c75b-4e02-9c0f-6761b97e1657\n\tEngineVersion=2.0\n\tRunspaceId=6ebeca05-d618-4c66-a0d8-4269d800d099\n\tPipelineId=\n\tCommandName=\n\tCommandType=\n\tScriptName=\n\tCommandPath=\n\tCommandLine=\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "PowerShell", - "kind": "event", - "category": "process", - "type": "end" + "process": { + "args": [ + "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe" + ], + "args_count": 1, + "command_line": "C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\PowerShell_ISE.exe", + "entity_id": "1929aa68-472a-404a-8ead-96bd7b49f2db", + "title": "Windows PowerShell ISE Host" }, "tags": [ "forwarded" - ] + ], + "winlog": { + "channel": "Windows PowerShell", + "computer_name": "vagrant", + "event_id": "403", + "keywords": [ + "Classic" + ], + "provider_name": "PowerShell", + "record_id": "1687" + } } ] } \ No newline at end of file diff --git a/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml index 6d94b1bfe64..7e9df152b05 100644 --- a/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/powershell/elasticsearch/ingest_pipeline/default.yml @@ -38,9 +38,6 @@ processors: ignore_failure: true if: ctx?.winlog?.time_created != null - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - set: field: event.kind value: event diff --git a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-config.yml b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json index 612147902d9..b2c5deb1628 100644 --- a/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json +++ b/packages/windows/data_stream/powershell_operational/_dev/test/pipeline/test-events.json-expected.json @@ -2,126 +2,83 @@ "expected": [ { "@timestamp": "2020-05-13T09:04:04.755Z", - "winlog": { - "computer_name": "vagrant", - "record_id": "790", - "process": { - "pid": 4204, - "thread": { - "id": 1476 - } - }, - "event_id": "4105", - "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", - "channel": "Microsoft-Windows-PowerShell/Operational", - "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", - "provider_name": "Microsoft-Windows-PowerShell", - "version": 1, - "user": { - "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, "ecs": { "version": "8.0.0" }, - "log": { - "level": "verbose" - }, - "powershell": { - "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623", - "file": { - "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" - } - }, - "host": { - "name": "vagrant" - }, "event": { - "ingested": "2022-01-12T05:21:31.956824087Z", + "category": "process", "code": "4105", + "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4105\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e102\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T09:04:04.755232500Z'/\u003e\u003cEventRecordID\u003e790\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{dd68516a-2930-0000-5962-68dd3029d601}'/\u003e\u003cExecution ProcessID='4204' ThreadID='1476'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003ef4a378ab-b74f-41a7-a5ef-6dd55562fdb9\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e9c031e5c-8d5a-4b91-a12e-b3624970b623\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", - "kind": "event", - "category": "process", "type": "start" }, - "user": { - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "f4a378ab-b74f-41a7-a5ef-6dd55562fdb9" + }, + "runspace_id": "9c031e5c-8d5a-4b91-a12e-b3624970b623" }, "tags": [ "forwarded" - ] - }, - { - "process": { - "args": [ - "C:\\Windows\\system32\\wsmprovhost.exe", - "-Embedding" - ], - "args_count": 2, - "entity_id": "ed57761b-ba0f-4d11-87d9-fac33820d20e", - "title": "ServerRemoteHost", - "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding" + ], + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" }, "winlog": { + "activity_id": "{dd68516a-2930-0000-5962-68dd3029d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", - "record_id": "3885", + "event_id": "4105", "process": { - "pid": 3984, + "pid": 4204, "thread": { - "id": 3616 + "id": 1476 } }, - "event_id": "4103", "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", - "channel": "Microsoft-Windows-PowerShell/Operational", - "activity_id": "{1aca0717-2acb-0002-c208-ca1acb2ad601}", "provider_name": "Microsoft-Windows-PowerShell", - "version": 1, + "record_id": "790", "user": { "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, - "log": { - "level": "information" - }, + }, + "version": 1 + } + }, + { + "@timestamp": "2020-05-15T08:11:47.897Z", "destination": { "user": { - "name": "vagrant", - "domain": "VAGRANT" - } - }, - "source": { - "user": { - "name": "vagrant", - "domain": "VAGRANT" + "domain": "VAGRANT", + "name": "vagrant" } }, - "tags": [ - "forwarded" - ], - "@timestamp": "2020-05-15T08:11:47.897Z", "ecs": { "version": "8.0.0" }, - "related": { - "user": [ - "vagrant" - ] + "event": { + "category": "process", + "code": "4103", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.897949500Z'/\u003e\u003cEventRecordID\u003e3885\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0002-c208-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='3984' ThreadID='3616'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name =\n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u0026lt;\u0026lt;===\u0026gt;\u0026gt; \\\\vboxsvr\\vagrant\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:13:06.703293900Z'/\u003e\u003cEventRecordID\u003e3917\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0003-db0b-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='5032' ThreadID='4160'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name =\n Command Path =\n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User =\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-PowerShell", + "sequence": 34, + "type": "info" + }, + "host": { + "name": "vagrant" + }, + "log": { + "level": "information" }, "powershell": { - "pipeline_id": "1", - "process": { - "executable_version": "1.0.0.0" - }, - "id": "Microsoft.PowerShell", - "engine": { - "version": "5.1.17763.1007" - }, - "runspace_id": "0729459a-8646-4176-8b02-024421a9632e", "command": { - "name": "cmd.exe", - "path": "C:\\Windows\\system32\\cmd.exe", "invocation_details": [ { "related_command": "cmd.exe", @@ -134,139 +91,178 @@ "value": "\"Out-Null\"" }, { - "related_command": "Out-Null", "name": "\"InputObject\"", + "related_command": "Out-Null", "type": "ParameterBinding", "value": "\"symbolic link created for C:\\vagrant \u003c\u003c===\u003e\u003e \\\\vboxsvr\\vagrant\"" } ], + "name": "cmd.exe", + "path": "C:\\Windows\\system32\\cmd.exe", "type": "Application" - } + }, + "engine": { + "version": "5.1.17763.1007" + }, + "id": "Microsoft.PowerShell", + "pipeline_id": "1", + "process": { + "executable_version": "1.0.0.0" + }, + "runspace_id": "0729459a-8646-4176-8b02-024421a9632e" }, - "host": { - "name": "vagrant" + "process": { + "args": [ + "C:\\Windows\\system32\\wsmprovhost.exe", + "-Embedding" + ], + "args_count": 2, + "command_line": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding", + "entity_id": "ed57761b-ba0f-4d11-87d9-fac33820d20e", + "title": "ServerRemoteHost" }, - "event": { - "sequence": 34, - "ingested": "2022-01-12T05:21:31.956826585Z", - "code": "4103", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:11:47.897949500Z'/\u003e\u003cEventRecordID\u003e3885\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0002-c208-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='3984' ThreadID='3616'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ServerRemoteHost\n Host Version = 1.0.0.0\n Host ID = ed57761b-ba0f-4d11-87d9-fac33820d20e\n Host Application = C:\\Windows\\system32\\wsmprovhost.exe -Embedding\n Engine Version = 5.1.17763.1007\n Runspace ID = 0729459a-8646-4176-8b02-024421a9632e\n Pipeline ID = 1\n Command Name = cmd.exe\n Command Type = Application\n Script Name =\n Command Path = C:\\Windows\\system32\\cmd.exe\n Sequence Number = 34\n User = VAGRANT\\vagrant\n Connected User = VAGRANT\\vagrant\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(cmd.exe): \"cmd.exe\"\nCommandInvocation(Out-Null): \"Out-Null\"\nParameterBinding(Out-Null): name=\"InputObject\"; value=\"symbolic link created for C:\\vagrant \u0026lt;\u0026lt;===\u0026gt;\u0026gt; \\\\vboxsvr\\vagrant\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4103\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e4\u003c/Level\u003e\u003cTask\u003e106\u003c/Task\u003e\u003cOpcode\u003e20\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-15T08:13:06.703293900Z'/\u003e\u003cEventRecordID\u003e3917\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{1aca0717-2acb-0003-db0b-ca1acb2ad601}'/\u003e\u003cExecution ProcessID='5032' ThreadID='4160'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ContextInfo'\u003e Severity = Informational\n Host Name = ConsoleHost\n Host Version = 5.1.17763.1007\n Host ID = aae5217d-054f-435f-9968-4b5bebf12116\n Host Application = C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noexit -command 'C:\\Gopath\\src\\github.com\\elastic\\beats'\n Engine Version = 5.1.17763.1007\n Runspace ID = a87e8389-57c7-4997-95ff-f82f644965bf\n Pipeline ID = 9\n Command Name = Resolve-Path\n Command Type = Cmdlet\n Script Name =\n Command Path =\n Sequence Number = 22\n User = VAGRANT\\vagrant\n Connected User =\n Shell ID = Microsoft.PowerShell\n\u003c/Data\u003e\u003cData Name='UserData'\u003e\u003c/Data\u003e\u003cData Name='Payload'\u003eCommandInvocation(Resolve-Path): \"Resolve-Path\"\nParameterBinding(Resolve-Path): name=\"ErrorAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"WarningAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"InformationAction\"; value=\"Ignore\"\nParameterBinding(Resolve-Path): name=\"Verbose\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Debug\"; value=\"False\"\nParameterBinding(Resolve-Path): name=\"Path\"; value=\"C:\\Gopath\\src\\github.com\\elastic\\beats\\x*\"\n\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-PowerShell", - "kind": "event", - "category": "process", - "type": "info" + "related": { + "user": [ + "vagrant" + ] + }, + "source": { + "user": { + "domain": "VAGRANT", + "name": "vagrant" + } }, + "tags": [ + "forwarded" + ], "user": { - "name": "vagrant", "domain": "VAGRANT", - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, - { - "@timestamp": "2020-05-13T10:40:32.595Z", + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000", + "name": "vagrant" + }, "winlog": { + "activity_id": "{1aca0717-2acb-0002-c208-ca1acb2ad601}", + "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", - "record_id": "933", + "event_id": "4103", "process": { - "pid": 4776, + "pid": 3984, "thread": { - "id": 5092 + "id": 3616 } }, - "event_id": "4106", "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", - "channel": "Microsoft-Windows-PowerShell/Operational", - "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}", "provider_name": "Microsoft-Windows-PowerShell", - "version": 1, + "record_id": "3885", "user": { "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, + }, + "version": 1 + } + }, + { + "@timestamp": "2020-05-13T10:40:32.595Z", "ecs": { "version": "8.0.0" }, + "event": { + "category": "process", + "code": "4106", + "kind": "event", + "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4106\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T10:40:32.595715200Z'/\u003e\u003cEventRecordID\u003e933\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{e3200b8a-290e-0002-332a-20e30e29d601}'/\u003e\u003cExecution ProcessID='4776' ThreadID='5092'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003e4c487c13-46f7-4485-925b-34855c7e873c\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e3f1a9181-0523-4645-a42c-2c1868c39332\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", + "provider": "Microsoft-Windows-PowerShell", + "type": "end" + }, + "host": { + "name": "vagrant" + }, "log": { "level": "verbose" }, "powershell": { - "runspace_id": "3f1a9181-0523-4645-a42c-2c1868c39332", "file": { "script_block_id": "4c487c13-46f7-4485-925b-34855c7e873c" - } - }, - "host": { - "name": "vagrant" - }, - "event": { - "ingested": "2022-01-12T05:21:31.956827079Z", - "code": "4106", - "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4106\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e103\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-13T10:40:32.595715200Z'/\u003e\u003cEventRecordID\u003e933\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{e3200b8a-290e-0002-332a-20e30e29d601}'/\u003e\u003cExecution ProcessID='4776' ThreadID='5092'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='ScriptBlockId'\u003e4c487c13-46f7-4485-925b-34855c7e873c\u003c/Data\u003e\u003cData Name='RunspaceId'\u003e3f1a9181-0523-4645-a42c-2c1868c39332\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", - "provider": "Microsoft-Windows-PowerShell", - "kind": "event", - "category": "process", - "type": "end" + }, + "runspace_id": "3f1a9181-0523-4645-a42c-2c1868c39332" }, + "tags": [ + "forwarded" + ], "user": { "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" }, - "tags": [ - "forwarded" - ] - }, - { - "@timestamp": "2020-05-14T11:33:51.389Z", "winlog": { + "activity_id": "{e3200b8a-290e-0002-332a-20e30e29d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", "computer_name": "vagrant", - "record_id": "3580", + "event_id": "4106", "process": { - "pid": 4844, + "pid": 4776, "thread": { - "id": 4428 + "id": 5092 } }, - "event_id": "4104", "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", - "channel": "Microsoft-Windows-PowerShell/Operational", - "activity_id": "{fb13c9de-29f7-0001-18e0-13fbf729d601}", "provider_name": "Microsoft-Windows-PowerShell", - "version": 1, + "record_id": "933", "user": { "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" - } - }, + }, + "version": 1 + } + }, + { + "@timestamp": "2020-05-14T11:33:51.389Z", "ecs": { "version": "8.0.0" }, - "log": { - "level": "verbose" - }, - "powershell": { - "sequence": 1, - "total": 1, - "file": { - "script_block_text": ".\\patata.ps1", - "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa" - } - }, - "host": { - "name": "vagrant" - }, "event": { - "ingested": "2022-01-12T05:21:31.956827494Z", + "category": "process", "code": "4104", + "kind": "event", "original": "\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.389266200Z'/\u003e\u003cEventRecordID\u003e3580\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0001-18e0-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e.\\patata.ps1\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003e50d2dbda-7361-4926-a94d-d9eadfdb43fa\u003c/Data\u003e\u003cData Name='Path'\u003e\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e\n\u003cEvent xmlns='http://schemas.microsoft.com/win/2004/08/events/event'\u003e\u003cSystem\u003e\u003cProvider Name='Microsoft-Windows-PowerShell' Guid='{a0c1853b-5c40-4b15-8766-3cf1c58f985a}'/\u003e\u003cEventID\u003e4104\u003c/EventID\u003e\u003cVersion\u003e1\u003c/Version\u003e\u003cLevel\u003e5\u003c/Level\u003e\u003cTask\u003e2\u003c/Task\u003e\u003cOpcode\u003e15\u003c/Opcode\u003e\u003cKeywords\u003e0x0\u003c/Keywords\u003e\u003cTimeCreated SystemTime='2020-05-14T11:33:51.393884800Z'/\u003e\u003cEventRecordID\u003e3582\u003c/EventRecordID\u003e\u003cCorrelation ActivityID='{fb13c9de-29f7-0000-79db-13fbf729d601}'/\u003e\u003cExecution ProcessID='4844' ThreadID='4428'/\u003e\u003cChannel\u003eMicrosoft-Windows-PowerShell/Operational\u003c/Channel\u003e\u003cComputer\u003evagrant\u003c/Computer\u003e\u003cSecurity UserID='S-1-5-21-1350058589-2282154016-2764056528-1000'/\u003e\u003c/System\u003e\u003cEventData\u003e\u003cData Name='MessageNumber'\u003e1\u003c/Data\u003e\u003cData Name='MessageTotal'\u003e1\u003c/Data\u003e\u003cData Name='ScriptBlockText'\u003e\u003c/Data\u003e\u003cData Name='ScriptBlockId'\u003ef5521cbd-656e-4296-b74d-9ffb4eec23b0\u003c/Data\u003e\u003cData Name='Path'\u003eC:\\Users\\vagrant\\Desktop\\patata.ps1\u003c/Data\u003e\u003c/EventData\u003e\u003c/Event\u003e", "provider": "Microsoft-Windows-PowerShell", - "kind": "event", - "category": "process", "type": "info" }, - "user": { - "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + "host": { + "name": "vagrant" + }, + "log": { + "level": "verbose" + }, + "powershell": { + "file": { + "script_block_id": "50d2dbda-7361-4926-a94d-d9eadfdb43fa", + "script_block_text": ".\\patata.ps1" + }, + "sequence": 1, + "total": 1 }, "tags": [ "forwarded" - ] + ], + "user": { + "id": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "winlog": { + "activity_id": "{fb13c9de-29f7-0001-18e0-13fbf729d601}", + "channel": "Microsoft-Windows-PowerShell/Operational", + "computer_name": "vagrant", + "event_id": "4104", + "process": { + "pid": 4844, + "thread": { + "id": 4428 + } + }, + "provider_guid": "{a0c1853b-5c40-4b15-8766-3cf1c58f985a}", + "provider_name": "Microsoft-Windows-PowerShell", + "record_id": "3580", + "user": { + "identifier": "S-1-5-21-1350058589-2282154016-2764056528-1000" + }, + "version": 1 + } } ] } \ No newline at end of file diff --git a/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml b/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml index 90e4f573fa1..16d21d8fe82 100644 --- a/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml +++ b/packages/windows/data_stream/powershell_operational/elasticsearch/ingest_pipeline/default.yml @@ -40,9 +40,6 @@ processors: ignore_failure: true if: ctx?.winlog?.time_created != null - - set: - field: event.ingested - value: '{{_ingest.timestamp}}' - set: field: event.kind value: event diff --git a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-config.yml b/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-config.yml deleted file mode 100644 index c39dc386179..00000000000 --- a/packages/windows/data_stream/sysmon_operational/_dev/test/pipeline/test-events.json-config.yml +++ /dev/null @@ -1,2 +0,0 @@ -dynamic_fields: - event.ingested: ".*" diff --git a/packages/windows/manifest.yml b/packages/windows/manifest.yml index 660257a1755..3d1a39e8a61 100644 --- a/packages/windows/manifest.yml +++ b/packages/windows/manifest.yml @@ -1,6 +1,6 @@ name: windows title: Windows -version: 1.10.1 +version: 1.11.0 description: Collect logs and metrics from Windows OS and services with Elastic Agent. type: integration categories: