diff --git a/.ci/scripts/report-codecov.sh b/.ci/scripts/report-codecov.sh deleted file mode 100755 index cd1ad38b73f..00000000000 --- a/.ci/scripts/report-codecov.sh +++ /dev/null @@ -1,18 +0,0 @@ -#!/usr/bin/env bash -set -exuo pipefail - -CODECOV_URL=https://codecov.io/bash -if [ -e /usr/local/bin/bash_standard_lib.sh ] ; then - # shellcheck disable=SC1091 - source /usr/local/bin/bash_standard_lib.sh - (retry 3 curl -sSLo codecov ${CODECOV_URL}) -else - curl -sSLo codecov ${CODECOV_URL} -fi - -for i in "$@" ; do - FILE="${i}/build/coverage/full.cov" - if [ -f "${FILE}" ]; then - bash codecov -f "${FILE}" - fi -done diff --git a/.travis.yml b/.travis.yml index 1fd774492ba..7809fe380b7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -401,13 +401,4 @@ notifications: on_failure: always on_pull_requests: false rooms: - secure: "e25J5puEA31dOooTI4T+K+zrTs8XeWIGq2cgmiPt9u/g7eqWeQj1UJnVsr8GOu1RPDyuJZJHXqfrvuOYJTdHzXbwjD0JTbwwVVZMkkZW2SWZHG46HCXPiucjWXEr3hXJKBJDDpIx6VxrN7r17dejv1biQ8QuEFZfiB1H8kbH/ho=" - -after_success: - # Copy full.cov to coverage.txt because codecov.io requires this file - - test -f auditbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f auditbeat/build/coverage/full.cov - - test -f filebeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f filebeat/build/coverage/full.cov - - test -f heartbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f heartbeat/build/coverage/full.cov - - test -f libbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f libbeat/build/coverage/full.cov - - test -f metricbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f metricbeat/build/coverage/full.cov - - test -f packetbeat/build/coverage/full.cov && bash <(curl -s https://codecov.io/bash) -f packetbeat/build/coverage/full.cov + secure: "e25J5puEA31dOooTI4T+K+zrTs8XeWIGq2cgmiPt9u/g7eqWeQj1UJnVsr8GOu1RPDyuJZJHXqfrvuOYJTdHzXbwjD0JTbwwVVZMkkZW2SWZHG46HCXPiucjWXEr3hXJKBJDDpIx6VxrN7r17dejv1biQ8QuEFZfiB1H8kbH/ho=" \ No newline at end of file diff --git a/CHANGELOG-developer.next.asciidoc b/CHANGELOG-developer.next.asciidoc index 8f2a8b4fbf5..7eca9675e0f 100644 --- a/CHANGELOG-developer.next.asciidoc +++ b/CHANGELOG-developer.next.asciidoc @@ -55,6 +55,7 @@ The list below covers the major changes between 7.0.0-rc2 and master only. ==== Bugfixes - Stop using `mage:import` in community beats. This was ignoring the vendorized beats directory for some mage targets, using the code available in GOPATH, this causes inconsistencies and compilation problems if the version of the code in the GOPATH is different to the vendored one. Use of `mage:import` will continue to be unsupported in custom beats till beats is migrated to go modules, or mage supports vendored dependencies. {issue}13998[13998] {pull}14162[14162] +- Metricbeat module builders call host parser only once when instantiating light modules. {pull}20149[20149] ==== Added diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index a3e645d1197..306dc5f96a3 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -61,6 +61,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Adds Gsuite Admin support. {pull}19769[19769] - Adds Gsuite Drive support. {pull}19704[19704] - Adds Gsuite Groups support. {pull}19725[19725] +- Move file metrics to dataset endpoint {pull}19977[19977] *Heartbeat* @@ -147,7 +148,9 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix config reload metrics (`libbeat.config.module.start/stops/running`). {pull}19168[19168] - Fix metrics hints builder to avoid wrong container metadata usage when port is not exposed {pull}18979[18979] - Server-side TLS config now validates certificate and key are both specified {pull}19584[19584] +- Fix terminating pod autodiscover issue. {pull}20084[20084] - Fix seccomp policy for calls to `chmod` and `chown`. {pull}20054[20054] +- Output errors when Kibana index pattern setup fails. {pull}20121[20121] *Auditbeat* @@ -218,6 +221,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Fix S3 input to trim delimiter /n from each log line. {pull}19972[19972] - Ignore missing in Zeek module when dropping unecessary fields. {pull}19984[19984] - Fix Filebeat OOMs on very long lines {issue}19500[19500], {pull}19552[19552] +- Fix s3 input parsing json file without expand_event_list_from_field. {issue}19902[19902] {pull}19962[19962] +- Fix millisecond timestamp normalization issues in CrowdStrike module {issue}20035[20035], {pull}20138[20138] *Heartbeat* @@ -349,6 +354,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add support to trim captured values in the dissect processor. {pull}19464[19464] - Added the `max_cached_sessions` option to the script processor. {pull}19562[19562] - Add support for DNS over TLS for the dns_processor. {pull}19321[19321] +- Set index.max_docvalue_fields_search in index template to increase value to 200 fields. {issue}20215[20215] *Auditbeat* @@ -470,7 +476,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add experimental dataset cisco/nexus for Cisco Nexus logs {pull}19713[19713] - Add experimental dataset citrix/virtualapps for Citrix Virtual Apps logs {pull}19713[19713] - Add experimental dataset cylance/protect for Cylance Protect logs {pull}19713[19713] -- Add experimental dataset f5/firepass for F5 FirePass SSL VPN logs {pull}19713[19713] - Add experimental dataset fortinet/clientendpoint for Fortinet FortiClient Endpoint Protection logs {pull}19713[19713] - Add experimental dataset imperva/securesphere for Imperva Secure Sphere logs {pull}19713[19713] - Add experimental dataset infoblox/nios for Infoblox Network Identity Operating System logs {pull}19713[19713] @@ -484,6 +489,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Add experimental dataset squid/log for Squid Proxy Server logs {pull}19713[19713] - Add experimental dataset zscaler/zia for Zscaler Internet Access logs {pull}19713[19713] - Add initial support for configurable file identity tracking. {pull}18748[18748] +- Add event.ingested for CrowdStrike module {pull}20138[20138] +- Add support for additional fields and FirewallMatchEvent type events in CrowdStrike module {pull}20138[20138] *Heartbeat* @@ -591,6 +598,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - Adds support for app insights metrics in the azure module. {issue}18570[18570] {pull}18940[18940] - Added cache and connection_errors metrics to status metricset of MySQL module {issue}16955[16955] {pull}19844[19844] - Update MySQL dashboard with connection errors and cache metrics {pull}19913[19913] {issue}16955[16955] +- Add cloud.instance.name into aws ec2 metricset. {pull}20077[20077] *Packetbeat* @@ -598,6 +606,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d `host` metadata fields when processing network data from network tap or mirror port. {pull}19209[19209] - Add ECS fields for x509 certs, event categorization, and related IP info. {pull}19167[19167] +- Add 100-continue support {issue}15830[15830] {pull}19349[19349] + *Functionbeat* - Add basic ECS categorization and `cloud` fields. {pull}19174[19174] diff --git a/Jenkinsfile b/Jenkinsfile index 90b0d9251fa..c415e7ef605 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -23,7 +23,7 @@ import groovy.transform.Field @Field def stashedTestReports = [:] pipeline { - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } environment { BASE_DIR = 'src/github.com/elastic/beats' GOX_FLAGS = "-arch amd64" @@ -50,17 +50,15 @@ pipeline { rateLimitBuilds(throttle: [count: 60, durationName: 'hour', userBoost: true]) } triggers { - issueCommentTrigger('(?i).*(?:jenkins\\W+)?run\\W+(?:the\\W+)?tests(?:\\W+please)?.*') + issueCommentTrigger('(?i)(.*(?:jenkins\\W+)?run\\W+(?:the\\W+)?tests(?:\\W+please)?.*|^/test(\\W+macos)?$)') } parameters { booleanParam(name: 'runAllStages', defaultValue: false, description: 'Allow to run all stages.') booleanParam(name: 'windowsTest', defaultValue: true, description: 'Allow Windows stages.') - booleanParam(name: 'macosTest', defaultValue: true, description: 'Allow macOS stages.') - + booleanParam(name: 'macosTest', defaultValue: false, description: 'Allow macOS stages.') booleanParam(name: 'allCloudTests', defaultValue: false, description: 'Run all cloud integration tests.') booleanParam(name: 'awsCloudTests', defaultValue: false, description: 'Run AWS cloud integration tests.') string(name: 'awsRegion', defaultValue: 'eu-central-1', description: 'Default AWS region to use for testing.') - booleanParam(name: 'debug', defaultValue: false, description: 'Allow debug logging for Jenkins steps') booleanParam(name: 'dry_run', defaultValue: false, description: 'Skip build steps, it is for testing pipeline flow') } @@ -101,7 +99,7 @@ pipeline { failFast false parallel { stage('Elastic Agent x-pack'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -113,7 +111,6 @@ pipeline { mageTarget(context: "Elastic Agent x-pack Linux", directory: "x-pack/elastic-agent", target: "build test") } } - stage('Elastic Agent x-pack Windows'){ agent { label 'windows-immutable && windows-2019' } options { skipDefaultCheckout() } @@ -127,14 +124,13 @@ pipeline { mageTargetWin(context: "Elastic Agent x-pack Windows Unit test", directory: "x-pack/elastic-agent", target: "build unitTest") } } - stage('Elastic Agent Mac OS X'){ agent { label 'macosx' } options { skipDefaultCheckout() } when { beforeAgent true expression { - return env.BUILD_ELASTIC_AGENT_XPACK != "false" && params.macosTest + return env.BUILD_ELASTIC_AGENT_XPACK != "false" && env.BUILD_ON_MACOS != 'false' } } steps { @@ -146,9 +142,8 @@ pipeline { } } } - stage('Filebeat oss'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -161,7 +156,7 @@ pipeline { } } stage('Filebeat x-pack'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -179,7 +174,7 @@ pipeline { when { beforeAgent true expression { - return env.BUILD_FILEBEAT != "false" && params.macosTest + return env.BUILD_FILEBEAT != "false" && env.BUILD_ON_MACOS != 'false' } } steps { @@ -197,7 +192,7 @@ pipeline { when { beforeAgent true expression { - return env.BUILD_FILEBEAT_XPACK != "false" && params.macosTest + return env.BUILD_FILEBEAT_XPACK != "false" && env.BUILD_ON_MACOS != 'false' } } steps { @@ -236,7 +231,7 @@ pipeline { } } stage('Heartbeat'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -256,7 +251,7 @@ pipeline { when { beforeAgent true expression { - return params.macosTest + return env.BUILD_ON_MACOS != 'false' } } steps { @@ -284,7 +279,7 @@ pipeline { } } stage('Auditbeat oss Linux'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -297,7 +292,7 @@ pipeline { } } stage('Auditbeat crosscompile'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -315,7 +310,7 @@ pipeline { when { beforeAgent true expression { - return env.BUILD_AUDITBEAT != "false" && params.macosTest + return env.BUILD_AUDITBEAT != "false" && env.BUILD_ON_MACOS != 'false' } } steps { @@ -341,7 +336,7 @@ pipeline { } } stage('Auditbeat x-pack'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -359,7 +354,7 @@ pipeline { when { beforeAgent true expression { - return env.BUILD_AUDITBEAT_XPACK != "false" && params.macosTest + return env.BUILD_AUDITBEAT_XPACK != "false" && env.BUILD_ON_MACOS != 'false' } } steps { @@ -380,7 +375,7 @@ pipeline { } } stage('Libbeat'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -407,7 +402,7 @@ pipeline { } } stage('Libbeat x-pack'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -420,7 +415,7 @@ pipeline { } } stage('Metricbeat OSS Unit tests'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -433,7 +428,7 @@ pipeline { } } stage('Metricbeat OSS Go Integration tests'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -446,7 +441,7 @@ pipeline { } } stage('Metricbeat OSS Python Integration tests'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -459,7 +454,7 @@ pipeline { } } stage('Metricbeat x-pack'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -469,7 +464,7 @@ pipeline { } stages { stage('Prepare cloud integration tests environments'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } steps { startCloudTestEnv('x-pack-metricbeat', [ @@ -478,7 +473,7 @@ pipeline { } } stage('Metricbeat x-pack'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } steps { withCloudTestEnv() { @@ -494,7 +489,7 @@ pipeline { } } stage('Metricbeat crosscompile'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -512,7 +507,7 @@ pipeline { when { beforeAgent true expression { - return env.BUILD_METRICBEAT != "false" && params.macosTest + return env.BUILD_METRICBEAT != "false" && env.BUILD_ON_MACOS != 'false' } } steps { @@ -525,7 +520,7 @@ pipeline { when { beforeAgent true expression { - return env.BUILD_METRICBEAT_XPACK != "false" && params.macosTest + return env.BUILD_METRICBEAT_XPACK != "false" && env.BUILD_ON_MACOS != 'false' } } steps { @@ -564,7 +559,7 @@ pipeline { } } stage('Packetbeat OSS'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -584,7 +579,7 @@ pipeline { when { beforeAgent true expression { - return params.macosTest + return env.BUILD_ON_MACOS != 'false' } } steps { @@ -612,7 +607,7 @@ pipeline { } } stage('dockerlogbeat'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -629,7 +624,7 @@ pipeline { } } stage('Winlogbeat'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -672,7 +667,7 @@ pipeline { } } stage('Functionbeat'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -695,7 +690,7 @@ pipeline { when { beforeAgent true expression { - return params.macosTest + return env.BUILD_ON_MACOS != 'false' } } steps { @@ -723,7 +718,7 @@ pipeline { } } stage('Journalbeat'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -734,13 +729,13 @@ pipeline { stages { stage('Journalbeat oss'){ steps { - mageTarget(context: "Journalbeat Linux", directory: "journalbeat", target: "build goUnitTest") + mageTarget(context: "Journalbeat Linux", directory: "journalbeat", target: "build unitTest") } } } } stage('Generators'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -767,7 +762,7 @@ pipeline { when { beforeAgent true expression { - return params.macosTest + return env.BUILD_ON_MACOS != 'false' } } steps { @@ -785,7 +780,7 @@ pipeline { when { beforeAgent true expression { - return params.macosTest + return env.BUILD_ON_MACOS != 'false' } } steps { @@ -800,7 +795,7 @@ pipeline { } } stage('Kubernetes'){ - agent { label 'ubuntu && immutable' } + agent { label 'ubuntu-18 && immutable' } options { skipDefaultCheckout() } when { beforeAgent true @@ -951,9 +946,6 @@ def withBeatsEnv(Map args = [:], Closure body) { if (archive) { archiveTestOutput(testResults: '**/build/TEST*.xml', artifacts: '**/build/TEST*.out') } - catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE') { - sh(label: 'Report to Codecov', script: '.ci/scripts/report-codecov.sh auditbeat filebeat heartbeat journalbeat libbeat metricbeat packetbeat winlogbeat') - } } } } @@ -1343,6 +1335,12 @@ def loadConfigEnvVars(){ // Skip all the stages for changes only related to the documentation env.ONLY_DOCS = isDocChangedOnly() + + // Enable macOS builds when required + env.BUILD_ON_MACOS = (params.macosTest // UI Input parameter is set to true + || !isPR() // For branches and tags + || matchesPrLabel(label: 'macOS') // If `macOS` GH label (Case-Sensitive) + || (env.GITHUB_COMMENT?.toLowerCase()?.contains('/test macos'))) // If `/test macos` in the GH comment (Case-Insensitive) } /** diff --git a/README.md b/README.md index 1b383c288de..a85c40b3128 100644 --- a/README.md +++ b/README.md @@ -94,8 +94,8 @@ It is possible to trigger some jobs by putting a comment on a GitHub PR. (This service is only available for users affiliated with Elastic and not for open-source contributors.) * [beats][] - * `jenkins run the tests please` - * `jenkins run tests` + * `jenkins run the tests please` or `jenkins run tests` or `/test` will kick off a default build. + * `/test macos` will kick off a default build with also the `macos` stages. * [apm-beats-update][] * `/run apm-beats-update` diff --git a/auditbeat/Dockerfile b/auditbeat/Dockerfile index 194289595e2..d0c36136ce9 100644 --- a/auditbeat/Dockerfile +++ b/auditbeat/Dockerfile @@ -9,8 +9,6 @@ RUN \ librpm-dev \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/auditbeat/docs/running-on-kubernetes.asciidoc b/auditbeat/docs/running-on-kubernetes.asciidoc index d98bcaca1d6..73ac5cdd70f 100644 --- a/auditbeat/docs/running-on-kubernetes.asciidoc +++ b/auditbeat/docs/running-on-kubernetes.asciidoc @@ -4,6 +4,8 @@ {beatname_uc} <> can be used on Kubernetes to check files integrity. +TIP: Running {ecloud} on Kubernetes? See {eck-ref}/k8s-beat.html[Run {beats} on ECK]. + ifeval::["{release-state}"=="unreleased"] However, version {version} of {beatname_uc} has not yet been diff --git a/deploy/kubernetes/Makefile b/deploy/kubernetes/Makefile index 722cac158d1..a97e9a986f4 100644 --- a/deploy/kubernetes/Makefile +++ b/deploy/kubernetes/Makefile @@ -1,4 +1,4 @@ -ALL=filebeat metricbeat auditbeat +ALL=filebeat metricbeat auditbeat heartbeat BEAT_VERSION=$(shell head -n 1 ../../libbeat/docs/version.asciidoc | cut -c 17- ) .PHONY: all $(ALL) diff --git a/deploy/kubernetes/README.md b/deploy/kubernetes/README.md index 65275dc4e45..b1ee4207d3e 100644 --- a/deploy/kubernetes/README.md +++ b/deploy/kubernetes/README.md @@ -9,3 +9,5 @@ Beat | Description ---- | ---- [filebeat](filebeat) | Tails and ships logs [metricbeat](metricbeat) | Fetches sets of metrics from the operating system and services +[auditbeat](auditbeat) | Collect Linux audit framework data and monitor files integrity +[heartbeat](heartbeat) | Monitor services for their availability with active probing diff --git a/deploy/kubernetes/heartbeat-kubernetes.yaml b/deploy/kubernetes/heartbeat-kubernetes.yaml new file mode 100644 index 00000000000..cfb7622fd33 --- /dev/null +++ b/deploy/kubernetes/heartbeat-kubernetes.yaml @@ -0,0 +1,159 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: heartbeat-deployment-config + namespace: kube-system + labels: + k8s-app: heartbeat +data: + heartbeat.yml: |- + #heartbeat.autodiscover: + # # Autodiscover pods + # providers: + # - type: kubernetes + # resource: pod + # scope: cluster + # node: ${NODE_NAME} + # hints.enabled: true + # + # # Autodiscover services + # providers: + # - type: kubernetes + # resource: service + # scope: cluster + # node: ${NODE_NAME} + # hints.enabled: true + # + # # Autodiscover nodes + # providers: + # - type: kubernetes + # resource: node + # node: ${NODE_NAME} + # scope: cluster + # templates: + # # Example, check SSH port of all cluster nodes: + # - condition: ~ + # config: + # - hosts: + # - ${data.host}:22 + # name: ${data.kubernetes.node.name} + # schedule: '@every 10s' + # timeout: 5s + # type: tcp + + processors: + - add_cloud_metadata: + + cloud.id: ${ELASTIC_CLOUD_ID} + cloud.auth: ${ELASTIC_CLOUD_AUTH} + + output.elasticsearch: + hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}'] + username: ${ELASTICSEARCH_USERNAME} + password: ${ELASTICSEARCH_PASSWORD} +--- +# Deploy singleton instance in the whole cluster for some unique data sources, like kube-state-metrics +apiVersion: apps/v1 +kind: Deployment +metadata: + name: heartbeat + namespace: kube-system + labels: + k8s-app: heartbeat +spec: + selector: + matchLabels: + k8s-app: heartbeat + template: + metadata: + labels: + k8s-app: heartbeat + spec: + serviceAccountName: heartbeat + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: heartbeat + image: docker.elastic.co/beats/heartbeat:8.0.0 + args: [ + "-c", "/etc/heartbeat.yml", + "-e", + ] + env: + - name: ELASTICSEARCH_HOST + value: elasticsearch + - name: ELASTICSEARCH_PORT + value: "9200" + - name: ELASTICSEARCH_USERNAME + value: elastic + - name: ELASTICSEARCH_PASSWORD + value: changeme + - name: ELASTIC_CLOUD_ID + value: + - name: ELASTIC_CLOUD_AUTH + value: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi + volumeMounts: + - name: config + mountPath: /etc/heartbeat.yml + readOnly: true + subPath: heartbeat.yml + - name: data + mountPath: /usr/share/heartbeat/data + volumes: + - name: config + configMap: + defaultMode: 0600 + name: heartbeat-deployment-config + - name: data + hostPath: + path: /var/lib/heartbeat-data + type: DirectoryOrCreate + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: heartbeat +subjects: +- kind: ServiceAccount + name: heartbeat + namespace: kube-system +roleRef: + kind: ClusterRole + name: heartbeat + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: heartbeat + labels: + k8s-app: heartbeat +rules: +- apiGroups: [""] + resources: + - nodes + - namespaces + - pods + verbs: ["get", "list", "watch"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: heartbeat + namespace: kube-system + labels: + k8s-app: heartbeat +--- diff --git a/deploy/kubernetes/heartbeat/README.md b/deploy/kubernetes/heartbeat/README.md new file mode 100644 index 00000000000..a42be6a4a50 --- /dev/null +++ b/deploy/kubernetes/heartbeat/README.md @@ -0,0 +1,30 @@ +# Heartbeat + +## Monitor Kubernetes services uptime + +### Kubernetes Deployment + +Heartbeat can be deployed to monitor the whole cluster from a single pod. + +Everything is deployed under `kube-system` namespace, you can change that by +updating YAML manifests under this folder. + +### Settings + +We use official [Beats Docker images](https://github.com/elastic/beats-docker), +as they allow external files configuration, a [ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/) +is used for kubernetes specific settings. Check [heartbeat-configmap.yaml](heartbeat-configmap.yaml) +for details. + +Also, [heartbeat-deployment.yaml](heartbeat-deployment.yaml) uses a set of environment +variables to configure Elasticsearch output: + +Variable | Default | Description +-------- | ------- | ----------- +ELASTICSEARCH_HOST | elasticsearch | Elasticsearch host +ELASTICSEARCH_PORT | 9200 | Elasticsearch port +ELASTICSEARCH_USERNAME | elastic | Elasticsearch username for HTTP auth +ELASTICSEARCH_PASSWORD | changeme | Elasticsearch password + +If there is an existing `elasticsearch` service in the kubernetes cluster these +defaults will use it. diff --git a/deploy/kubernetes/heartbeat/heartbeat-configmap.yaml b/deploy/kubernetes/heartbeat/heartbeat-configmap.yaml new file mode 100644 index 00000000000..639ad28ae2b --- /dev/null +++ b/deploy/kubernetes/heartbeat/heartbeat-configmap.yaml @@ -0,0 +1,53 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: heartbeat-deployment-config + namespace: kube-system + labels: + k8s-app: heartbeat +data: + heartbeat.yml: |- + #heartbeat.autodiscover: + # # Autodiscover pods + # providers: + # - type: kubernetes + # resource: pod + # scope: cluster + # node: ${NODE_NAME} + # hints.enabled: true + # + # # Autodiscover services + # providers: + # - type: kubernetes + # resource: service + # scope: cluster + # node: ${NODE_NAME} + # hints.enabled: true + # + # # Autodiscover nodes + # providers: + # - type: kubernetes + # resource: node + # node: ${NODE_NAME} + # scope: cluster + # templates: + # # Example, check SSH port of all cluster nodes: + # - condition: ~ + # config: + # - hosts: + # - ${data.host}:22 + # name: ${data.kubernetes.node.name} + # schedule: '@every 10s' + # timeout: 5s + # type: tcp + + processors: + - add_cloud_metadata: + + cloud.id: ${ELASTIC_CLOUD_ID} + cloud.auth: ${ELASTIC_CLOUD_AUTH} + + output.elasticsearch: + hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}'] + username: ${ELASTICSEARCH_USERNAME} + password: ${ELASTICSEARCH_PASSWORD} diff --git a/deploy/kubernetes/heartbeat/heartbeat-deployment.yaml b/deploy/kubernetes/heartbeat/heartbeat-deployment.yaml new file mode 100644 index 00000000000..3f7a471b457 --- /dev/null +++ b/deploy/kubernetes/heartbeat/heartbeat-deployment.yaml @@ -0,0 +1,69 @@ +# Deploy singleton instance in the whole cluster for some unique data sources, like kube-state-metrics +apiVersion: apps/v1 +kind: Deployment +metadata: + name: heartbeat + namespace: kube-system + labels: + k8s-app: heartbeat +spec: + selector: + matchLabels: + k8s-app: heartbeat + template: + metadata: + labels: + k8s-app: heartbeat + spec: + serviceAccountName: heartbeat + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: heartbeat + image: docker.elastic.co/beats/heartbeat:%VERSION% + args: [ + "-c", "/etc/heartbeat.yml", + "-e", + ] + env: + - name: ELASTICSEARCH_HOST + value: elasticsearch + - name: ELASTICSEARCH_PORT + value: "9200" + - name: ELASTICSEARCH_USERNAME + value: elastic + - name: ELASTICSEARCH_PASSWORD + value: changeme + - name: ELASTIC_CLOUD_ID + value: + - name: ELASTIC_CLOUD_AUTH + value: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + securityContext: + runAsUser: 0 + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi + volumeMounts: + - name: config + mountPath: /etc/heartbeat.yml + readOnly: true + subPath: heartbeat.yml + - name: data + mountPath: /usr/share/heartbeat/data + volumes: + - name: config + configMap: + defaultMode: 0600 + name: heartbeat-deployment-config + - name: data + hostPath: + path: /var/lib/heartbeat-data + type: DirectoryOrCreate + diff --git a/deploy/kubernetes/heartbeat/heartbeat-role-binding.yaml b/deploy/kubernetes/heartbeat/heartbeat-role-binding.yaml new file mode 100644 index 00000000000..5fe59dd56b8 --- /dev/null +++ b/deploy/kubernetes/heartbeat/heartbeat-role-binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: heartbeat +subjects: +- kind: ServiceAccount + name: heartbeat + namespace: kube-system +roleRef: + kind: ClusterRole + name: heartbeat + apiGroup: rbac.authorization.k8s.io diff --git a/deploy/kubernetes/heartbeat/heartbeat-role.yaml b/deploy/kubernetes/heartbeat/heartbeat-role.yaml new file mode 100644 index 00000000000..50782d99aed --- /dev/null +++ b/deploy/kubernetes/heartbeat/heartbeat-role.yaml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: heartbeat + labels: + k8s-app: heartbeat +rules: +- apiGroups: [""] + resources: + - nodes + - namespaces + - pods + verbs: ["get", "list", "watch"] diff --git a/deploy/kubernetes/heartbeat/heartbeat-service-account.yaml b/deploy/kubernetes/heartbeat/heartbeat-service-account.yaml new file mode 100644 index 00000000000..461c335e176 --- /dev/null +++ b/deploy/kubernetes/heartbeat/heartbeat-service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: heartbeat + namespace: kube-system + labels: + k8s-app: heartbeat diff --git a/dev-tools/mage/dmgbuilder.go b/dev-tools/mage/dmgbuilder.go index c04a5eea6f7..5a8f574ed29 100644 --- a/dev-tools/mage/dmgbuilder.go +++ b/dev-tools/mage/dmgbuilder.go @@ -111,6 +111,9 @@ func (b *dmgBuilder) buildBeatPkg() error { for _, f := range b.Files { target := filepath.Join(beatPkgRoot, f.Target) if err := Copy(f.Source, target); err != nil { + if f.SkipOnMissing && errors.Is(err, os.ErrNotExist) { + return nil + } return err } diff --git a/dev-tools/mage/dockerbuilder.go b/dev-tools/mage/dockerbuilder.go index adc30aabfd7..e1d91881aad 100644 --- a/dev-tools/mage/dockerbuilder.go +++ b/dev-tools/mage/dockerbuilder.go @@ -102,6 +102,9 @@ func (b *dockerBuilder) copyFiles() error { for _, f := range b.Files { target := filepath.Join(b.beatDir, f.Target) if err := Copy(f.Source, target); err != nil { + if f.SkipOnMissing && errors.Is(err, os.ErrNotExist) { + return nil + } return errors.Wrapf(err, "failed to copy from %s to %s", f.Source, target) } } diff --git a/dev-tools/mage/integtest_docker.go b/dev-tools/mage/integtest_docker.go index da7ecf33c37..2ed09db711e 100644 --- a/dev-tools/mage/integtest_docker.go +++ b/dev-tools/mage/integtest_docker.go @@ -19,6 +19,7 @@ package mage import ( "fmt" + "go/build" "io/ioutil" "os" "path" @@ -94,6 +95,8 @@ func (d *DockerIntegrationTester) Test(_ string, mageTarget string, env map[stri dockerRepoRoot := filepath.Join("/go/src", repo.CanonicalRootImportPath) dockerGoCache := filepath.Join(dockerRepoRoot, "build/docker-gocache") magePath := filepath.Join("/go/src", repo.CanonicalRootImportPath, repo.SubDir, "build/mage-linux-amd64") + goPkgCache := filepath.Join(filepath.SplitList(build.Default.GOPATH)[0], "pkg/mod/cache/download") + dockerGoPkgCache := "/gocache" // Execute the inside of docker-compose. args := []string{"-p", dockerComposeProjectName(), "run", @@ -105,6 +108,9 @@ func (d *DockerIntegrationTester) Test(_ string, mageTarget string, env map[stri "-e", "STACK_ENVIRONMENT=" + StackEnvironment, "-e", "TESTING_ENVIRONMENT=" + StackEnvironment, "-e", "GOCACHE=" + dockerGoCache, + // Use the host machine's pkg cache to minimize external downloads. + "-v", goPkgCache + ":" + dockerGoPkgCache + ":ro", + "-e", "GOPROXY=file://" + dockerGoPkgCache + ",direct", } args, err = addUidGidEnvArgs(args) if err != nil { diff --git a/dev-tools/mage/pkgtypes.go b/dev-tools/mage/pkgtypes.go index 82fea52376c..5800d5b5c18 100644 --- a/dev-tools/mage/pkgtypes.go +++ b/dev-tools/mage/pkgtypes.go @@ -98,15 +98,16 @@ type PackageSpec struct { // PackageFile represents a file or directory within a package. type PackageFile struct { - Source string `yaml:"source,omitempty"` // Regular source file or directory. - Content string `yaml:"content,omitempty"` // Inline template string. - Template string `yaml:"template,omitempty"` // Input template file. - Target string `yaml:"target,omitempty"` // Target location in package. Relative paths are added to a package specific directory (e.g. metricbeat-7.0.0-linux-x86_64). - Mode os.FileMode `yaml:"mode,omitempty"` // Target mode for file. Does not apply when source is a directory. - Config bool `yaml:"config"` // Mark file as config in the package (deb and rpm only). - Modules bool `yaml:"modules"` // Mark directory as directory with modules. - Dep func(PackageSpec) error `yaml:"-" hash:"-" json:"-"` // Dependency to invoke during Evaluate. - Owner string `yaml:"owner,omitempty"` // File Owner, for user and group name (rpm only). + Source string `yaml:"source,omitempty"` // Regular source file or directory. + Content string `yaml:"content,omitempty"` // Inline template string. + Template string `yaml:"template,omitempty"` // Input template file. + Target string `yaml:"target,omitempty"` // Target location in package. Relative paths are added to a package specific directory (e.g. metricbeat-7.0.0-linux-x86_64). + Mode os.FileMode `yaml:"mode,omitempty"` // Target mode for file. Does not apply when source is a directory. + Config bool `yaml:"config"` // Mark file as config in the package (deb and rpm only). + Modules bool `yaml:"modules"` // Mark directory as directory with modules. + Dep func(PackageSpec) error `yaml:"-" hash:"-" json:"-"` // Dependency to invoke during Evaluate. + Owner string `yaml:"owner,omitempty"` // File Owner, for user and group name (rpm only). + SkipOnMissing bool `yaml:"skip_on_missing,omitempty"` // Prevents build failure if the file is missing. } // OSArchNames defines the names of architectures for use in packages. @@ -758,6 +759,10 @@ func addUidGidEnvArgs(args []string) ([]string, error) { func addFileToZip(ar *zip.Writer, baseDir string, pkgFile PackageFile) error { return filepath.Walk(pkgFile.Source, func(path string, info os.FileInfo, err error) error { if err != nil { + if pkgFile.SkipOnMissing && os.IsNotExist(err) { + return nil + } + return err } @@ -819,6 +824,10 @@ func addFileToZip(ar *zip.Writer, baseDir string, pkgFile PackageFile) error { func addFileToTar(ar *tar.Writer, baseDir string, pkgFile PackageFile) error { return filepath.Walk(pkgFile.Source, func(path string, info os.FileInfo, err error) error { if err != nil { + if pkgFile.SkipOnMissing && os.IsNotExist(err) { + return nil + } + return err } diff --git a/dev-tools/packaging/packages.yml b/dev-tools/packaging/packages.yml index 531d388bc99..6c3752fb2fa 100644 --- a/dev-tools/packaging/packages.yml +++ b/dev-tools/packaging/packages.yml @@ -57,15 +57,36 @@ shared: /var/lib/{{.BeatName}}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' mode: 0644 - /var/lib/{{.BeatName}}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: - source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' - mode: 0644 /var/lib/{{.BeatName}}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' mode: 0644 + /var/lib/{{.BeatName}}/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + /var/lib/{{.BeatName}}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 /var/lib/{{.BeatName}}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' mode: 0644 + /var/lib/{{.BeatName}}/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + /var/lib/{{.BeatName}}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + skip_on_missing: true + /var/lib/{{.BeatName}}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + skip_on_missing: true + /var/lib/{{.BeatName}}/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + # MacOS pkg spec for community beats. @@ -106,15 +127,36 @@ shared: /etc/{{.BeatName}}/data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' mode: 0644 - /etc/{{.BeatName}}/data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: - source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' - mode: 0644 /etc/{{.BeatName}}/data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' mode: 0644 + skip_on_missing: true + /etc/{{.BeatName}}/data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + /etc/{{.BeatName}}/data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 /etc/{{.BeatName}}/data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' mode: 0644 + /etc/{{.BeatName}}/data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + /etc/{{.BeatName}}/data/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + skip_on_missing: true + /etc/{{.BeatName}}/data/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + skip_on_missing: true + /etc/{{.BeatName}}/data/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc: + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true - &agent_binary_files '{{.BeatName}}{{.BinaryExt}}': @@ -146,16 +188,35 @@ shared: 'data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' mode: 0644 - 'data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': - source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' - mode: 0644 - <<: *agent_binary_files 'data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512': source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' mode: 0644 + 'data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc': + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + 'data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 'data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512': source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' mode: 0644 + 'data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc': + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true + 'data/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz' + mode: 0644 + skip_on_missing: true + 'data/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.sha512' + mode: 0644 + skip_on_missing: true + 'data/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.tar.gz.asc' + mode: 0644 + skip_on_missing: true # Binary package spec (zip for windows) for community beats. - &agent_windows_binary_spec @@ -171,15 +232,35 @@ shared: 'data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' mode: 0644 - 'data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': - source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' - mode: 0644 'data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512': source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512' mode: 0644 + 'data/downloads/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc': + source: '{{.AgentDropPath}}/filebeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc' + mode: 0644 + skip_on_missing: true + 'data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' + mode: 0644 'data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512': source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512' mode: 0644 + 'data/downloads/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc': + source: '{{.AgentDropPath}}/metricbeat-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc' + mode: 0644 + skip_on_missing: true + 'data/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip' + mode: 0644 + skip_on_missing: true + 'data/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.sha512' + mode: 0644 + skip_on_missing: true + 'data/downloads/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc': + source: '{{.AgentDropPath}}/endpoint-security-{{ beat_version }}{{if .Snapshot}}-SNAPSHOT{{end}}-{{.GOOS}}-{{.AgentArchName}}.zip.asc' + mode: 0644 + skip_on_missing: true - &agent_docker_spec <<: *agent_binary_spec diff --git a/filebeat/Dockerfile b/filebeat/Dockerfile index e4aec49417d..4f4b04940bf 100644 --- a/filebeat/Dockerfile +++ b/filebeat/Dockerfile @@ -12,8 +12,6 @@ RUN \ libpcap-dev \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/filebeat/docs/fields.asciidoc b/filebeat/docs/fields.asciidoc index f3136d3bba3..9921f76167a 100644 --- a/filebeat/docs/fields.asciidoc +++ b/filebeat/docs/fields.asciidoc @@ -20477,14 +20477,7 @@ Module for handling Cisco network device logs. [float] -=== cisco - -Fields from Cisco logs. - - - -[float] -=== asa +=== cisco.asa Fields for Cisco ASA Firewall. @@ -20693,7 +20686,7 @@ type: keyword -- [float] -=== ftd +=== cisco.ftd Fields for Cisco Firepower Threat Defense Firewall. @@ -20911,7 +20904,7 @@ type: keyword -- [float] -=== ios +=== cisco.ios Fields for Cisco IOS logs. @@ -20939,7 +20932,7 @@ example: SEC -- -*`cisco.network.interface.name`*:: +*`network.interface.name`*:: + -- Name of the network interface where the traffic has been observed. @@ -20951,7 +20944,7 @@ type: keyword -*`cisco.rsa.internal.msg`*:: +*`rsa.internal.msg`*:: + -- This key is used to capture the raw message that comes into the Log Decoder @@ -20960,21 +20953,21 @@ type: keyword -- -*`cisco.rsa.internal.messageid`*:: +*`rsa.internal.messageid`*:: + -- type: keyword -- -*`cisco.rsa.internal.event_desc`*:: +*`rsa.internal.event_desc`*:: + -- type: keyword -- -*`cisco.rsa.internal.message`*:: +*`rsa.internal.message`*:: + -- This key captures the contents of instant messages @@ -20983,7 +20976,7 @@ type: keyword -- -*`cisco.rsa.internal.time`*:: +*`rsa.internal.time`*:: + -- This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. @@ -20992,7 +20985,7 @@ type: date -- -*`cisco.rsa.internal.level`*:: +*`rsa.internal.level`*:: + -- Deprecated key defined only in table map. @@ -21001,7 +20994,7 @@ type: long -- -*`cisco.rsa.internal.msg_id`*:: +*`rsa.internal.msg_id`*:: + -- This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21010,7 +21003,7 @@ type: keyword -- -*`cisco.rsa.internal.msg_vid`*:: +*`rsa.internal.msg_vid`*:: + -- This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21019,7 +21012,7 @@ type: keyword -- -*`cisco.rsa.internal.data`*:: +*`rsa.internal.data`*:: + -- Deprecated key defined only in table map. @@ -21028,7 +21021,7 @@ type: keyword -- -*`cisco.rsa.internal.obj_server`*:: +*`rsa.internal.obj_server`*:: + -- Deprecated key defined only in table map. @@ -21037,7 +21030,7 @@ type: keyword -- -*`cisco.rsa.internal.obj_val`*:: +*`rsa.internal.obj_val`*:: + -- Deprecated key defined only in table map. @@ -21046,7 +21039,7 @@ type: keyword -- -*`cisco.rsa.internal.resource`*:: +*`rsa.internal.resource`*:: + -- Deprecated key defined only in table map. @@ -21055,7 +21048,7 @@ type: keyword -- -*`cisco.rsa.internal.obj_id`*:: +*`rsa.internal.obj_id`*:: + -- Deprecated key defined only in table map. @@ -21064,7 +21057,7 @@ type: keyword -- -*`cisco.rsa.internal.statement`*:: +*`rsa.internal.statement`*:: + -- Deprecated key defined only in table map. @@ -21073,7 +21066,7 @@ type: keyword -- -*`cisco.rsa.internal.audit_class`*:: +*`rsa.internal.audit_class`*:: + -- Deprecated key defined only in table map. @@ -21082,7 +21075,7 @@ type: keyword -- -*`cisco.rsa.internal.entry`*:: +*`rsa.internal.entry`*:: + -- Deprecated key defined only in table map. @@ -21091,7 +21084,7 @@ type: keyword -- -*`cisco.rsa.internal.hcode`*:: +*`rsa.internal.hcode`*:: + -- Deprecated key defined only in table map. @@ -21100,7 +21093,7 @@ type: keyword -- -*`cisco.rsa.internal.inode`*:: +*`rsa.internal.inode`*:: + -- Deprecated key defined only in table map. @@ -21109,7 +21102,7 @@ type: long -- -*`cisco.rsa.internal.resource_class`*:: +*`rsa.internal.resource_class`*:: + -- Deprecated key defined only in table map. @@ -21118,7 +21111,7 @@ type: keyword -- -*`cisco.rsa.internal.dead`*:: +*`rsa.internal.dead`*:: + -- Deprecated key defined only in table map. @@ -21127,7 +21120,7 @@ type: long -- -*`cisco.rsa.internal.feed_desc`*:: +*`rsa.internal.feed_desc`*:: + -- This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21136,7 +21129,7 @@ type: keyword -- -*`cisco.rsa.internal.feed_name`*:: +*`rsa.internal.feed_name`*:: + -- This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21145,7 +21138,7 @@ type: keyword -- -*`cisco.rsa.internal.cid`*:: +*`rsa.internal.cid`*:: + -- This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21154,7 +21147,7 @@ type: keyword -- -*`cisco.rsa.internal.device_class`*:: +*`rsa.internal.device_class`*:: + -- This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21163,7 +21156,7 @@ type: keyword -- -*`cisco.rsa.internal.device_group`*:: +*`rsa.internal.device_group`*:: + -- This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21172,7 +21165,7 @@ type: keyword -- -*`cisco.rsa.internal.device_host`*:: +*`rsa.internal.device_host`*:: + -- This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21181,7 +21174,7 @@ type: keyword -- -*`cisco.rsa.internal.device_ip`*:: +*`rsa.internal.device_ip`*:: + -- This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21190,7 +21183,7 @@ type: ip -- -*`cisco.rsa.internal.device_ipv6`*:: +*`rsa.internal.device_ipv6`*:: + -- This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21199,7 +21192,7 @@ type: ip -- -*`cisco.rsa.internal.device_type`*:: +*`rsa.internal.device_type`*:: + -- This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21208,7 +21201,7 @@ type: keyword -- -*`cisco.rsa.internal.device_type_id`*:: +*`rsa.internal.device_type_id`*:: + -- Deprecated key defined only in table map. @@ -21217,7 +21210,7 @@ type: long -- -*`cisco.rsa.internal.did`*:: +*`rsa.internal.did`*:: + -- This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21226,7 +21219,7 @@ type: keyword -- -*`cisco.rsa.internal.entropy_req`*:: +*`rsa.internal.entropy_req`*:: + -- This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration @@ -21235,7 +21228,7 @@ type: long -- -*`cisco.rsa.internal.entropy_res`*:: +*`rsa.internal.entropy_res`*:: + -- This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration @@ -21244,7 +21237,7 @@ type: long -- -*`cisco.rsa.internal.event_name`*:: +*`rsa.internal.event_name`*:: + -- Deprecated key defined only in table map. @@ -21253,7 +21246,7 @@ type: keyword -- -*`cisco.rsa.internal.feed_category`*:: +*`rsa.internal.feed_category`*:: + -- This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21262,7 +21255,7 @@ type: keyword -- -*`cisco.rsa.internal.forward_ip`*:: +*`rsa.internal.forward_ip`*:: + -- This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. @@ -21271,7 +21264,7 @@ type: ip -- -*`cisco.rsa.internal.forward_ipv6`*:: +*`rsa.internal.forward_ipv6`*:: + -- This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21280,7 +21273,7 @@ type: ip -- -*`cisco.rsa.internal.header_id`*:: +*`rsa.internal.header_id`*:: + -- This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21289,7 +21282,7 @@ type: keyword -- -*`cisco.rsa.internal.lc_cid`*:: +*`rsa.internal.lc_cid`*:: + -- This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21298,7 +21291,7 @@ type: keyword -- -*`cisco.rsa.internal.lc_ctime`*:: +*`rsa.internal.lc_ctime`*:: + -- This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21307,7 +21300,7 @@ type: date -- -*`cisco.rsa.internal.mcb_req`*:: +*`rsa.internal.mcb_req`*:: + -- This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most @@ -21316,7 +21309,7 @@ type: long -- -*`cisco.rsa.internal.mcb_res`*:: +*`rsa.internal.mcb_res`*:: + -- This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most @@ -21325,7 +21318,7 @@ type: long -- -*`cisco.rsa.internal.mcbc_req`*:: +*`rsa.internal.mcbc_req`*:: + -- This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams @@ -21334,7 +21327,7 @@ type: long -- -*`cisco.rsa.internal.mcbc_res`*:: +*`rsa.internal.mcbc_res`*:: + -- This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams @@ -21343,7 +21336,7 @@ type: long -- -*`cisco.rsa.internal.medium`*:: +*`rsa.internal.medium`*:: + -- This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session @@ -21352,7 +21345,7 @@ type: long -- -*`cisco.rsa.internal.node_name`*:: +*`rsa.internal.node_name`*:: + -- Deprecated key defined only in table map. @@ -21361,7 +21354,7 @@ type: keyword -- -*`cisco.rsa.internal.nwe_callback_id`*:: +*`rsa.internal.nwe_callback_id`*:: + -- This key denotes that event is endpoint related @@ -21370,7 +21363,7 @@ type: keyword -- -*`cisco.rsa.internal.parse_error`*:: +*`rsa.internal.parse_error`*:: + -- This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21379,7 +21372,7 @@ type: keyword -- -*`cisco.rsa.internal.payload_req`*:: +*`rsa.internal.payload_req`*:: + -- This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep @@ -21388,7 +21381,7 @@ type: long -- -*`cisco.rsa.internal.payload_res`*:: +*`rsa.internal.payload_res`*:: + -- This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep @@ -21397,7 +21390,7 @@ type: long -- -*`cisco.rsa.internal.process_vid_dst`*:: +*`rsa.internal.process_vid_dst`*:: + -- Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. @@ -21406,7 +21399,7 @@ type: keyword -- -*`cisco.rsa.internal.process_vid_src`*:: +*`rsa.internal.process_vid_src`*:: + -- Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. @@ -21415,7 +21408,7 @@ type: keyword -- -*`cisco.rsa.internal.rid`*:: +*`rsa.internal.rid`*:: + -- This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21424,7 +21417,7 @@ type: long -- -*`cisco.rsa.internal.session_split`*:: +*`rsa.internal.session_split`*:: + -- This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21433,7 +21426,7 @@ type: keyword -- -*`cisco.rsa.internal.site`*:: +*`rsa.internal.site`*:: + -- Deprecated key defined only in table map. @@ -21442,7 +21435,7 @@ type: keyword -- -*`cisco.rsa.internal.size`*:: +*`rsa.internal.size`*:: + -- This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21451,7 +21444,7 @@ type: long -- -*`cisco.rsa.internal.sourcefile`*:: +*`rsa.internal.sourcefile`*:: + -- This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -21460,7 +21453,7 @@ type: keyword -- -*`cisco.rsa.internal.ubc_req`*:: +*`rsa.internal.ubc_req`*:: + -- This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once @@ -21469,7 +21462,7 @@ type: long -- -*`cisco.rsa.internal.ubc_res`*:: +*`rsa.internal.ubc_res`*:: + -- This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once @@ -21478,7 +21471,7 @@ type: long -- -*`cisco.rsa.internal.word`*:: +*`rsa.internal.word`*:: + -- This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log @@ -21488,7 +21481,7 @@ type: keyword -- -*`cisco.rsa.time.event_time`*:: +*`rsa.time.event_time`*:: + -- This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form @@ -21497,7 +21490,7 @@ type: date -- -*`cisco.rsa.time.duration_time`*:: +*`rsa.time.duration_time`*:: + -- This key is used to capture the normalized duration/lifetime in seconds. @@ -21506,7 +21499,7 @@ type: double -- -*`cisco.rsa.time.event_time_str`*:: +*`rsa.time.event_time_str`*:: + -- This key is used to capture the incomplete time mentioned in a session as a string @@ -21515,7 +21508,7 @@ type: keyword -- -*`cisco.rsa.time.starttime`*:: +*`rsa.time.starttime`*:: + -- This key is used to capture the Start time mentioned in a session in a standard form @@ -21524,21 +21517,21 @@ type: date -- -*`cisco.rsa.time.month`*:: +*`rsa.time.month`*:: + -- type: keyword -- -*`cisco.rsa.time.day`*:: +*`rsa.time.day`*:: + -- type: keyword -- -*`cisco.rsa.time.endtime`*:: +*`rsa.time.endtime`*:: + -- This key is used to capture the End time mentioned in a session in a standard form @@ -21547,7 +21540,7 @@ type: date -- -*`cisco.rsa.time.timezone`*:: +*`rsa.time.timezone`*:: + -- This key is used to capture the timezone of the Event Time @@ -21556,7 +21549,7 @@ type: keyword -- -*`cisco.rsa.time.duration_str`*:: +*`rsa.time.duration_str`*:: + -- A text string version of the duration @@ -21565,21 +21558,21 @@ type: keyword -- -*`cisco.rsa.time.date`*:: +*`rsa.time.date`*:: + -- type: keyword -- -*`cisco.rsa.time.year`*:: +*`rsa.time.year`*:: + -- type: keyword -- -*`cisco.rsa.time.recorded_time`*:: +*`rsa.time.recorded_time`*:: + -- The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. @@ -21588,14 +21581,14 @@ type: date -- -*`cisco.rsa.time.datetime`*:: +*`rsa.time.datetime`*:: + -- type: keyword -- -*`cisco.rsa.time.effective_time`*:: +*`rsa.time.effective_time`*:: + -- This key is the effective time referenced by an individual event in a Standard Timestamp format @@ -21604,7 +21597,7 @@ type: date -- -*`cisco.rsa.time.expire_time`*:: +*`rsa.time.expire_time`*:: + -- This key is the timestamp that explicitly refers to an expiration. @@ -21613,7 +21606,7 @@ type: date -- -*`cisco.rsa.time.process_time`*:: +*`rsa.time.process_time`*:: + -- Deprecated, use duration.time @@ -21622,28 +21615,28 @@ type: keyword -- -*`cisco.rsa.time.hour`*:: +*`rsa.time.hour`*:: + -- type: keyword -- -*`cisco.rsa.time.min`*:: +*`rsa.time.min`*:: + -- type: keyword -- -*`cisco.rsa.time.timestamp`*:: +*`rsa.time.timestamp`*:: + -- type: keyword -- -*`cisco.rsa.time.event_queue_time`*:: +*`rsa.time.event_queue_time`*:: + -- This key is the Time that the event was queued. @@ -21652,77 +21645,77 @@ type: date -- -*`cisco.rsa.time.p_time1`*:: +*`rsa.time.p_time1`*:: + -- type: keyword -- -*`cisco.rsa.time.tzone`*:: +*`rsa.time.tzone`*:: + -- type: keyword -- -*`cisco.rsa.time.eventtime`*:: +*`rsa.time.eventtime`*:: + -- type: keyword -- -*`cisco.rsa.time.gmtdate`*:: +*`rsa.time.gmtdate`*:: + -- type: keyword -- -*`cisco.rsa.time.gmttime`*:: +*`rsa.time.gmttime`*:: + -- type: keyword -- -*`cisco.rsa.time.p_date`*:: +*`rsa.time.p_date`*:: + -- type: keyword -- -*`cisco.rsa.time.p_month`*:: +*`rsa.time.p_month`*:: + -- type: keyword -- -*`cisco.rsa.time.p_time`*:: +*`rsa.time.p_time`*:: + -- type: keyword -- -*`cisco.rsa.time.p_time2`*:: +*`rsa.time.p_time2`*:: + -- type: keyword -- -*`cisco.rsa.time.p_year`*:: +*`rsa.time.p_year`*:: + -- type: keyword -- -*`cisco.rsa.time.expire_time_str`*:: +*`rsa.time.expire_time_str`*:: + -- This key is used to capture incomplete timestamp that explicitly refers to an expiration. @@ -21731,7 +21724,7 @@ type: keyword -- -*`cisco.rsa.time.stamp`*:: +*`rsa.time.stamp`*:: + -- Deprecated key defined only in table map. @@ -21741,14 +21734,14 @@ type: date -- -*`cisco.rsa.misc.action`*:: +*`rsa.misc.action`*:: + -- type: keyword -- -*`cisco.rsa.misc.result`*:: +*`rsa.misc.result`*:: + -- This key is used to capture the outcome/result string value of an action in a session. @@ -21757,7 +21750,7 @@ type: keyword -- -*`cisco.rsa.misc.severity`*:: +*`rsa.misc.severity`*:: + -- This key is used to capture the severity given the session @@ -21766,7 +21759,7 @@ type: keyword -- -*`cisco.rsa.misc.event_type`*:: +*`rsa.misc.event_type`*:: + -- This key captures the event category type as specified by the event source. @@ -21775,7 +21768,7 @@ type: keyword -- -*`cisco.rsa.misc.reference_id`*:: +*`rsa.misc.reference_id`*:: + -- This key is used to capture an event id from the session directly @@ -21784,7 +21777,7 @@ type: keyword -- -*`cisco.rsa.misc.version`*:: +*`rsa.misc.version`*:: + -- This key captures Version of the application or OS which is generating the event. @@ -21793,7 +21786,7 @@ type: keyword -- -*`cisco.rsa.misc.disposition`*:: +*`rsa.misc.disposition`*:: + -- This key captures the The end state of an action. @@ -21802,7 +21795,7 @@ type: keyword -- -*`cisco.rsa.misc.result_code`*:: +*`rsa.misc.result_code`*:: + -- This key is used to capture the outcome/result numeric value of an action in a session @@ -21811,7 +21804,7 @@ type: keyword -- -*`cisco.rsa.misc.category`*:: +*`rsa.misc.category`*:: + -- This key is used to capture the category of an event given by the vendor in the session @@ -21820,7 +21813,7 @@ type: keyword -- -*`cisco.rsa.misc.obj_name`*:: +*`rsa.misc.obj_name`*:: + -- This is used to capture name of object @@ -21829,7 +21822,7 @@ type: keyword -- -*`cisco.rsa.misc.obj_type`*:: +*`rsa.misc.obj_type`*:: + -- This is used to capture type of object @@ -21838,7 +21831,7 @@ type: keyword -- -*`cisco.rsa.misc.event_source`*:: +*`rsa.misc.event_source`*:: + -- This key captures Source of the event that’s not a hostname @@ -21847,7 +21840,7 @@ type: keyword -- -*`cisco.rsa.misc.log_session_id`*:: +*`rsa.misc.log_session_id`*:: + -- This key is used to capture a sessionid from the session directly @@ -21856,7 +21849,7 @@ type: keyword -- -*`cisco.rsa.misc.group`*:: +*`rsa.misc.group`*:: + -- This key captures the Group Name value @@ -21865,7 +21858,7 @@ type: keyword -- -*`cisco.rsa.misc.policy_name`*:: +*`rsa.misc.policy_name`*:: + -- This key is used to capture the Policy Name only. @@ -21874,7 +21867,7 @@ type: keyword -- -*`cisco.rsa.misc.rule_name`*:: +*`rsa.misc.rule_name`*:: + -- This key captures the Rule Name @@ -21883,7 +21876,7 @@ type: keyword -- -*`cisco.rsa.misc.context`*:: +*`rsa.misc.context`*:: + -- This key captures Information which adds additional context to the event. @@ -21892,7 +21885,7 @@ type: keyword -- -*`cisco.rsa.misc.change_new`*:: +*`rsa.misc.change_new`*:: + -- This key is used to capture the new values of the attribute that’s changing in a session @@ -21901,14 +21894,14 @@ type: keyword -- -*`cisco.rsa.misc.space`*:: +*`rsa.misc.space`*:: + -- type: keyword -- -*`cisco.rsa.misc.client`*:: +*`rsa.misc.client`*:: + -- This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. @@ -21917,21 +21910,21 @@ type: keyword -- -*`cisco.rsa.misc.msgIdPart1`*:: +*`rsa.misc.msgIdPart1`*:: + -- type: keyword -- -*`cisco.rsa.misc.msgIdPart2`*:: +*`rsa.misc.msgIdPart2`*:: + -- type: keyword -- -*`cisco.rsa.misc.change_old`*:: +*`rsa.misc.change_old`*:: + -- This key is used to capture the old value of the attribute that’s changing in a session @@ -21940,7 +21933,7 @@ type: keyword -- -*`cisco.rsa.misc.operation_id`*:: +*`rsa.misc.operation_id`*:: + -- An alert number or operation number. The values should be unique and non-repeating. @@ -21949,7 +21942,7 @@ type: keyword -- -*`cisco.rsa.misc.event_state`*:: +*`rsa.misc.event_state`*:: + -- This key captures the current state of the object/item referenced within the event. Describing an on-going event. @@ -21958,7 +21951,7 @@ type: keyword -- -*`cisco.rsa.misc.group_object`*:: +*`rsa.misc.group_object`*:: + -- This key captures a collection/grouping of entities. Specific usage @@ -21967,7 +21960,7 @@ type: keyword -- -*`cisco.rsa.misc.node`*:: +*`rsa.misc.node`*:: + -- Common use case is the node name within a cluster. The cluster name is reflected by the host name. @@ -21976,7 +21969,7 @@ type: keyword -- -*`cisco.rsa.misc.rule`*:: +*`rsa.misc.rule`*:: + -- This key captures the Rule number @@ -21985,7 +21978,7 @@ type: keyword -- -*`cisco.rsa.misc.device_name`*:: +*`rsa.misc.device_name`*:: + -- This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc @@ -21994,7 +21987,7 @@ type: keyword -- -*`cisco.rsa.misc.param`*:: +*`rsa.misc.param`*:: + -- This key is the parameters passed as part of a command or application, etc. @@ -22003,7 +21996,7 @@ type: keyword -- -*`cisco.rsa.misc.change_attrib`*:: +*`rsa.misc.change_attrib`*:: + -- This key is used to capture the name of the attribute that’s changing in a session @@ -22012,7 +22005,7 @@ type: keyword -- -*`cisco.rsa.misc.event_computer`*:: +*`rsa.misc.event_computer`*:: + -- This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. @@ -22021,7 +22014,7 @@ type: keyword -- -*`cisco.rsa.misc.reference_id1`*:: +*`rsa.misc.reference_id1`*:: + -- This key is for Linked ID to be used as an addition to "reference.id" @@ -22030,7 +22023,7 @@ type: keyword -- -*`cisco.rsa.misc.event_log`*:: +*`rsa.misc.event_log`*:: + -- This key captures the Name of the event log @@ -22039,7 +22032,7 @@ type: keyword -- -*`cisco.rsa.misc.OS`*:: +*`rsa.misc.OS`*:: + -- This key captures the Name of the Operating System @@ -22048,7 +22041,7 @@ type: keyword -- -*`cisco.rsa.misc.terminal`*:: +*`rsa.misc.terminal`*:: + -- This key captures the Terminal Names only @@ -22057,14 +22050,14 @@ type: keyword -- -*`cisco.rsa.misc.msgIdPart3`*:: +*`rsa.misc.msgIdPart3`*:: + -- type: keyword -- -*`cisco.rsa.misc.filter`*:: +*`rsa.misc.filter`*:: + -- This key captures Filter used to reduce result set @@ -22073,7 +22066,7 @@ type: keyword -- -*`cisco.rsa.misc.serial_number`*:: +*`rsa.misc.serial_number`*:: + -- This key is the Serial number associated with a physical asset. @@ -22082,7 +22075,7 @@ type: keyword -- -*`cisco.rsa.misc.checksum`*:: +*`rsa.misc.checksum`*:: + -- This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. @@ -22091,7 +22084,7 @@ type: keyword -- -*`cisco.rsa.misc.event_user`*:: +*`rsa.misc.event_user`*:: + -- This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. @@ -22100,7 +22093,7 @@ type: keyword -- -*`cisco.rsa.misc.virusname`*:: +*`rsa.misc.virusname`*:: + -- This key captures the name of the virus @@ -22109,7 +22102,7 @@ type: keyword -- -*`cisco.rsa.misc.content_type`*:: +*`rsa.misc.content_type`*:: + -- This key is used to capture Content Type only. @@ -22118,7 +22111,7 @@ type: keyword -- -*`cisco.rsa.misc.group_id`*:: +*`rsa.misc.group_id`*:: + -- This key captures Group ID Number (related to the group name) @@ -22127,7 +22120,7 @@ type: keyword -- -*`cisco.rsa.misc.policy_id`*:: +*`rsa.misc.policy_id`*:: + -- This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise @@ -22136,7 +22129,7 @@ type: keyword -- -*`cisco.rsa.misc.vsys`*:: +*`rsa.misc.vsys`*:: + -- This key captures Virtual System Name @@ -22145,7 +22138,7 @@ type: keyword -- -*`cisco.rsa.misc.connection_id`*:: +*`rsa.misc.connection_id`*:: + -- This key captures the Connection ID @@ -22154,7 +22147,7 @@ type: keyword -- -*`cisco.rsa.misc.reference_id2`*:: +*`rsa.misc.reference_id2`*:: + -- This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. @@ -22163,7 +22156,7 @@ type: keyword -- -*`cisco.rsa.misc.sensor`*:: +*`rsa.misc.sensor`*:: + -- This key captures Name of the sensor. Typically used in IDS/IPS based devices @@ -22172,7 +22165,7 @@ type: keyword -- -*`cisco.rsa.misc.sig_id`*:: +*`rsa.misc.sig_id`*:: + -- This key captures IDS/IPS Int Signature ID @@ -22181,7 +22174,7 @@ type: long -- -*`cisco.rsa.misc.port_name`*:: +*`rsa.misc.port_name`*:: + -- This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). @@ -22190,7 +22183,7 @@ type: keyword -- -*`cisco.rsa.misc.rule_group`*:: +*`rsa.misc.rule_group`*:: + -- This key captures the Rule group name @@ -22199,7 +22192,7 @@ type: keyword -- -*`cisco.rsa.misc.risk_num`*:: +*`rsa.misc.risk_num`*:: + -- This key captures a Numeric Risk value @@ -22208,7 +22201,7 @@ type: double -- -*`cisco.rsa.misc.trigger_val`*:: +*`rsa.misc.trigger_val`*:: + -- This key captures the Value of the trigger or threshold condition. @@ -22217,7 +22210,7 @@ type: keyword -- -*`cisco.rsa.misc.log_session_id1`*:: +*`rsa.misc.log_session_id1`*:: + -- This key is used to capture a Linked (Related) Session ID from the session directly @@ -22226,7 +22219,7 @@ type: keyword -- -*`cisco.rsa.misc.comp_version`*:: +*`rsa.misc.comp_version`*:: + -- This key captures the Version level of a sub-component of a product. @@ -22235,7 +22228,7 @@ type: keyword -- -*`cisco.rsa.misc.content_version`*:: +*`rsa.misc.content_version`*:: + -- This key captures Version level of a signature or database content. @@ -22244,7 +22237,7 @@ type: keyword -- -*`cisco.rsa.misc.hardware_id`*:: +*`rsa.misc.hardware_id`*:: + -- This key is used to capture unique identifier for a device or system (NOT a Mac address) @@ -22253,7 +22246,7 @@ type: keyword -- -*`cisco.rsa.misc.risk`*:: +*`rsa.misc.risk`*:: + -- This key captures the non-numeric risk value @@ -22262,28 +22255,28 @@ type: keyword -- -*`cisco.rsa.misc.event_id`*:: +*`rsa.misc.event_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.reason`*:: +*`rsa.misc.reason`*:: + -- type: keyword -- -*`cisco.rsa.misc.status`*:: +*`rsa.misc.status`*:: + -- type: keyword -- -*`cisco.rsa.misc.mail_id`*:: +*`rsa.misc.mail_id`*:: + -- This key is used to capture the mailbox id/name @@ -22292,7 +22285,7 @@ type: keyword -- -*`cisco.rsa.misc.rule_uid`*:: +*`rsa.misc.rule_uid`*:: + -- This key is the Unique Identifier for a rule. @@ -22301,7 +22294,7 @@ type: keyword -- -*`cisco.rsa.misc.trigger_desc`*:: +*`rsa.misc.trigger_desc`*:: + -- This key captures the Description of the trigger or threshold condition. @@ -22310,35 +22303,35 @@ type: keyword -- -*`cisco.rsa.misc.inout`*:: +*`rsa.misc.inout`*:: + -- type: keyword -- -*`cisco.rsa.misc.p_msgid`*:: +*`rsa.misc.p_msgid`*:: + -- type: keyword -- -*`cisco.rsa.misc.data_type`*:: +*`rsa.misc.data_type`*:: + -- type: keyword -- -*`cisco.rsa.misc.msgIdPart4`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- -*`cisco.rsa.misc.error`*:: +*`rsa.misc.error`*:: + -- This key captures All non successful Error codes or responses @@ -22347,14 +22340,14 @@ type: keyword -- -*`cisco.rsa.misc.index`*:: +*`rsa.misc.index`*:: + -- type: keyword -- -*`cisco.rsa.misc.listnum`*:: +*`rsa.misc.listnum`*:: + -- This key is used to capture listname or listnumber, primarily for collecting access-list @@ -22363,14 +22356,14 @@ type: keyword -- -*`cisco.rsa.misc.ntype`*:: +*`rsa.misc.ntype`*:: + -- type: keyword -- -*`cisco.rsa.misc.observed_val`*:: +*`rsa.misc.observed_val`*:: + -- This key captures the Value observed (from the perspective of the device generating the log). @@ -22379,7 +22372,7 @@ type: keyword -- -*`cisco.rsa.misc.policy_value`*:: +*`rsa.misc.policy_value`*:: + -- This key captures the contents of the policy. This contains details about the policy @@ -22388,7 +22381,7 @@ type: keyword -- -*`cisco.rsa.misc.pool_name`*:: +*`rsa.misc.pool_name`*:: + -- This key captures the name of a resource pool @@ -22397,7 +22390,7 @@ type: keyword -- -*`cisco.rsa.misc.rule_template`*:: +*`rsa.misc.rule_template`*:: + -- A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template @@ -22406,35 +22399,35 @@ type: keyword -- -*`cisco.rsa.misc.count`*:: +*`rsa.misc.count`*:: + -- type: keyword -- -*`cisco.rsa.misc.number`*:: +*`rsa.misc.number`*:: + -- type: keyword -- -*`cisco.rsa.misc.sigcat`*:: +*`rsa.misc.sigcat`*:: + -- type: keyword -- -*`cisco.rsa.misc.type`*:: +*`rsa.misc.type`*:: + -- type: keyword -- -*`cisco.rsa.misc.comments`*:: +*`rsa.misc.comments`*:: + -- Comment information provided in the log message @@ -22443,7 +22436,7 @@ type: keyword -- -*`cisco.rsa.misc.doc_number`*:: +*`rsa.misc.doc_number`*:: + -- This key captures File Identification number @@ -22452,7 +22445,7 @@ type: long -- -*`cisco.rsa.misc.expected_val`*:: +*`rsa.misc.expected_val`*:: + -- This key captures the Value expected (from the perspective of the device generating the log). @@ -22461,7 +22454,7 @@ type: keyword -- -*`cisco.rsa.misc.job_num`*:: +*`rsa.misc.job_num`*:: + -- This key captures the Job Number @@ -22470,7 +22463,7 @@ type: keyword -- -*`cisco.rsa.misc.spi_dst`*:: +*`rsa.misc.spi_dst`*:: + -- Destination SPI Index @@ -22479,7 +22472,7 @@ type: keyword -- -*`cisco.rsa.misc.spi_src`*:: +*`rsa.misc.spi_src`*:: + -- Source SPI Index @@ -22488,14 +22481,14 @@ type: keyword -- -*`cisco.rsa.misc.code`*:: +*`rsa.misc.code`*:: + -- type: keyword -- -*`cisco.rsa.misc.agent_id`*:: +*`rsa.misc.agent_id`*:: + -- This key is used to capture agent id @@ -22504,7 +22497,7 @@ type: keyword -- -*`cisco.rsa.misc.message_body`*:: +*`rsa.misc.message_body`*:: + -- This key captures the The contents of the message body. @@ -22513,14 +22506,14 @@ type: keyword -- -*`cisco.rsa.misc.phone`*:: +*`rsa.misc.phone`*:: + -- type: keyword -- -*`cisco.rsa.misc.sig_id_str`*:: +*`rsa.misc.sig_id_str`*:: + -- This key captures a string object of the sigid variable. @@ -22529,28 +22522,28 @@ type: keyword -- -*`cisco.rsa.misc.cmd`*:: +*`rsa.misc.cmd`*:: + -- type: keyword -- -*`cisco.rsa.misc.misc`*:: +*`rsa.misc.misc`*:: + -- type: keyword -- -*`cisco.rsa.misc.name`*:: +*`rsa.misc.name`*:: + -- type: keyword -- -*`cisco.rsa.misc.cpu`*:: +*`rsa.misc.cpu`*:: + -- This key is the CPU time used in the execution of the event being recorded. @@ -22559,7 +22552,7 @@ type: long -- -*`cisco.rsa.misc.event_desc`*:: +*`rsa.misc.event_desc`*:: + -- This key is used to capture a description of an event available directly or inferred @@ -22568,7 +22561,7 @@ type: keyword -- -*`cisco.rsa.misc.sig_id1`*:: +*`rsa.misc.sig_id1`*:: + -- This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id @@ -22577,42 +22570,42 @@ type: long -- -*`cisco.rsa.misc.im_buddyid`*:: +*`rsa.misc.im_buddyid`*:: + -- type: keyword -- -*`cisco.rsa.misc.im_client`*:: +*`rsa.misc.im_client`*:: + -- type: keyword -- -*`cisco.rsa.misc.im_userid`*:: +*`rsa.misc.im_userid`*:: + -- type: keyword -- -*`cisco.rsa.misc.pid`*:: +*`rsa.misc.pid`*:: + -- type: keyword -- -*`cisco.rsa.misc.priority`*:: +*`rsa.misc.priority`*:: + -- type: keyword -- -*`cisco.rsa.misc.context_subject`*:: +*`rsa.misc.context_subject`*:: + -- This key is to be used in an audit context where the subject is the object being identified @@ -22621,14 +22614,14 @@ type: keyword -- -*`cisco.rsa.misc.context_target`*:: +*`rsa.misc.context_target`*:: + -- type: keyword -- -*`cisco.rsa.misc.cve`*:: +*`rsa.misc.cve`*:: + -- This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. @@ -22637,7 +22630,7 @@ type: keyword -- -*`cisco.rsa.misc.fcatnum`*:: +*`rsa.misc.fcatnum`*:: + -- This key captures Filter Category Number. Legacy Usage @@ -22646,7 +22639,7 @@ type: keyword -- -*`cisco.rsa.misc.library`*:: +*`rsa.misc.library`*:: + -- This key is used to capture library information in mainframe devices @@ -22655,7 +22648,7 @@ type: keyword -- -*`cisco.rsa.misc.parent_node`*:: +*`rsa.misc.parent_node`*:: + -- This key captures the Parent Node Name. Must be related to node variable. @@ -22664,7 +22657,7 @@ type: keyword -- -*`cisco.rsa.misc.risk_info`*:: +*`rsa.misc.risk_info`*:: + -- Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -22673,7 +22666,7 @@ type: keyword -- -*`cisco.rsa.misc.tcp_flags`*:: +*`rsa.misc.tcp_flags`*:: + -- This key is captures the TCP flags set in any packet of session @@ -22682,7 +22675,7 @@ type: long -- -*`cisco.rsa.misc.tos`*:: +*`rsa.misc.tos`*:: + -- This key describes the type of service @@ -22691,7 +22684,7 @@ type: long -- -*`cisco.rsa.misc.vm_target`*:: +*`rsa.misc.vm_target`*:: + -- VMWare Target **VMWARE** only varaible. @@ -22700,7 +22693,7 @@ type: keyword -- -*`cisco.rsa.misc.workspace`*:: +*`rsa.misc.workspace`*:: + -- This key captures Workspace Description @@ -22709,91 +22702,91 @@ type: keyword -- -*`cisco.rsa.misc.command`*:: +*`rsa.misc.command`*:: + -- type: keyword -- -*`cisco.rsa.misc.event_category`*:: +*`rsa.misc.event_category`*:: + -- type: keyword -- -*`cisco.rsa.misc.facilityname`*:: +*`rsa.misc.facilityname`*:: + -- type: keyword -- -*`cisco.rsa.misc.forensic_info`*:: +*`rsa.misc.forensic_info`*:: + -- type: keyword -- -*`cisco.rsa.misc.jobname`*:: +*`rsa.misc.jobname`*:: + -- type: keyword -- -*`cisco.rsa.misc.mode`*:: +*`rsa.misc.mode`*:: + -- type: keyword -- -*`cisco.rsa.misc.policy`*:: +*`rsa.misc.policy`*:: + -- type: keyword -- -*`cisco.rsa.misc.policy_waiver`*:: +*`rsa.misc.policy_waiver`*:: + -- type: keyword -- -*`cisco.rsa.misc.second`*:: +*`rsa.misc.second`*:: + -- type: keyword -- -*`cisco.rsa.misc.space1`*:: +*`rsa.misc.space1`*:: + -- type: keyword -- -*`cisco.rsa.misc.subcategory`*:: +*`rsa.misc.subcategory`*:: + -- type: keyword -- -*`cisco.rsa.misc.tbdstr2`*:: +*`rsa.misc.tbdstr2`*:: + -- type: keyword -- -*`cisco.rsa.misc.alert_id`*:: +*`rsa.misc.alert_id`*:: + -- Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -22802,7 +22795,7 @@ type: keyword -- -*`cisco.rsa.misc.checksum_dst`*:: +*`rsa.misc.checksum_dst`*:: + -- This key is used to capture the checksum or hash of the the target entity such as a process or file. @@ -22811,7 +22804,7 @@ type: keyword -- -*`cisco.rsa.misc.checksum_src`*:: +*`rsa.misc.checksum_src`*:: + -- This key is used to capture the checksum or hash of the source entity such as a file or process. @@ -22820,7 +22813,7 @@ type: keyword -- -*`cisco.rsa.misc.fresult`*:: +*`rsa.misc.fresult`*:: + -- This key captures the Filter Result @@ -22829,7 +22822,7 @@ type: long -- -*`cisco.rsa.misc.payload_dst`*:: +*`rsa.misc.payload_dst`*:: + -- This key is used to capture destination payload @@ -22838,7 +22831,7 @@ type: keyword -- -*`cisco.rsa.misc.payload_src`*:: +*`rsa.misc.payload_src`*:: + -- This key is used to capture source payload @@ -22847,7 +22840,7 @@ type: keyword -- -*`cisco.rsa.misc.pool_id`*:: +*`rsa.misc.pool_id`*:: + -- This key captures the identifier (typically numeric field) of a resource pool @@ -22856,7 +22849,7 @@ type: keyword -- -*`cisco.rsa.misc.process_id_val`*:: +*`rsa.misc.process_id_val`*:: + -- This key is a failure key for Process ID when it is not an integer value @@ -22865,7 +22858,7 @@ type: keyword -- -*`cisco.rsa.misc.risk_num_comm`*:: +*`rsa.misc.risk_num_comm`*:: + -- This key captures Risk Number Community @@ -22874,7 +22867,7 @@ type: double -- -*`cisco.rsa.misc.risk_num_next`*:: +*`rsa.misc.risk_num_next`*:: + -- This key captures Risk Number NextGen @@ -22883,7 +22876,7 @@ type: double -- -*`cisco.rsa.misc.risk_num_sand`*:: +*`rsa.misc.risk_num_sand`*:: + -- This key captures Risk Number SandBox @@ -22892,7 +22885,7 @@ type: double -- -*`cisco.rsa.misc.risk_num_static`*:: +*`rsa.misc.risk_num_static`*:: + -- This key captures Risk Number Static @@ -22901,7 +22894,7 @@ type: double -- -*`cisco.rsa.misc.risk_suspicious`*:: +*`rsa.misc.risk_suspicious`*:: + -- Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -22910,7 +22903,7 @@ type: keyword -- -*`cisco.rsa.misc.risk_warning`*:: +*`rsa.misc.risk_warning`*:: + -- Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -22919,7 +22912,7 @@ type: keyword -- -*`cisco.rsa.misc.snmp_oid`*:: +*`rsa.misc.snmp_oid`*:: + -- SNMP Object Identifier @@ -22928,7 +22921,7 @@ type: keyword -- -*`cisco.rsa.misc.sql`*:: +*`rsa.misc.sql`*:: + -- This key captures the SQL query @@ -22937,7 +22930,7 @@ type: keyword -- -*`cisco.rsa.misc.vuln_ref`*:: +*`rsa.misc.vuln_ref`*:: + -- This key captures the Vulnerability Reference details @@ -22946,1547 +22939,1547 @@ type: keyword -- -*`cisco.rsa.misc.acl_id`*:: +*`rsa.misc.acl_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.acl_op`*:: +*`rsa.misc.acl_op`*:: + -- type: keyword -- -*`cisco.rsa.misc.acl_pos`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`cisco.rsa.misc.acl_table`*:: +*`rsa.misc.acl_table`*:: + -- type: keyword -- -*`cisco.rsa.misc.admin`*:: +*`rsa.misc.admin`*:: + -- type: keyword -- -*`cisco.rsa.misc.alarm_id`*:: +*`rsa.misc.alarm_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.alarmname`*:: +*`rsa.misc.alarmname`*:: + -- type: keyword -- -*`cisco.rsa.misc.app_id`*:: +*`rsa.misc.app_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.audit`*:: +*`rsa.misc.audit`*:: + -- type: keyword -- -*`cisco.rsa.misc.audit_object`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`cisco.rsa.misc.auditdata`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`cisco.rsa.misc.benchmark`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`cisco.rsa.misc.bypass`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`cisco.rsa.misc.cache`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`cisco.rsa.misc.cache_hit`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`cisco.rsa.misc.cefversion`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- -*`cisco.rsa.misc.cfg_attr`*:: +*`rsa.misc.cfg_attr`*:: + -- type: keyword -- -*`cisco.rsa.misc.cfg_obj`*:: +*`rsa.misc.cfg_obj`*:: + -- type: keyword -- -*`cisco.rsa.misc.cfg_path`*:: +*`rsa.misc.cfg_path`*:: + -- type: keyword -- -*`cisco.rsa.misc.changes`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- -*`cisco.rsa.misc.client_ip`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -*`cisco.rsa.misc.clustermembers`*:: +*`rsa.misc.clustermembers`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_acttimeout`*:: +*`rsa.misc.cn_acttimeout`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_asn_src`*:: +*`rsa.misc.cn_asn_src`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_dst_tos`*:: +*`rsa.misc.cn_dst_tos`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_engine_id`*:: +*`rsa.misc.cn_engine_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_engine_type`*:: +*`rsa.misc.cn_engine_type`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_f_switch`*:: +*`rsa.misc.cn_f_switch`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_flowsampid`*:: +*`rsa.misc.cn_flowsampid`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_invalid`*:: +*`rsa.misc.cn_invalid`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_l_switch`*:: +*`rsa.misc.cn_l_switch`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_log_did`*:: +*`rsa.misc.cn_log_did`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_log_rid`*:: +*`rsa.misc.cn_log_rid`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_max_ttl`*:: +*`rsa.misc.cn_max_ttl`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_maxpcktlen`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_min_ttl`*:: +*`rsa.misc.cn_min_ttl`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_minpcktlen`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mplstoplabel`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mplstoplabip`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mul_dst_byt`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_mul_dst_pks`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_muligmptype`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_sampalgo`*:: +*`rsa.misc.cn_sampalgo`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_sampint`*:: +*`rsa.misc.cn_sampint`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_seqctr`*:: +*`rsa.misc.cn_seqctr`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_spackets`*:: +*`rsa.misc.cn_spackets`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_src_tos`*:: +*`rsa.misc.cn_src_tos`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_src_vlan`*:: +*`rsa.misc.cn_src_vlan`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_sysuptime`*:: +*`rsa.misc.cn_sysuptime`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_template_id`*:: +*`rsa.misc.cn_template_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_totbytsexp`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_totflowexp`*:: +*`rsa.misc.cn_totflowexp`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_totpcktsexp`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_unixnanosecs`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_v6flowlabel`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- type: keyword -- -*`cisco.rsa.misc.cn_v6optheaders`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- type: keyword -- -*`cisco.rsa.misc.comp_class`*:: +*`rsa.misc.comp_class`*:: + -- type: keyword -- -*`cisco.rsa.misc.comp_name`*:: +*`rsa.misc.comp_name`*:: + -- type: keyword -- -*`cisco.rsa.misc.comp_rbytes`*:: +*`rsa.misc.comp_rbytes`*:: + -- type: keyword -- -*`cisco.rsa.misc.comp_sbytes`*:: +*`rsa.misc.comp_sbytes`*:: + -- type: keyword -- -*`cisco.rsa.misc.cpu_data`*:: +*`rsa.misc.cpu_data`*:: + -- type: keyword -- -*`cisco.rsa.misc.criticality`*:: +*`rsa.misc.criticality`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_agency_dst`*:: +*`rsa.misc.cs_agency_dst`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_analyzedby`*:: +*`rsa.misc.cs_analyzedby`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_av_other`*:: +*`rsa.misc.cs_av_other`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_av_primary`*:: +*`rsa.misc.cs_av_primary`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_av_secondary`*:: +*`rsa.misc.cs_av_secondary`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_bit9status`*:: +*`rsa.misc.cs_bit9status`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_context`*:: +*`rsa.misc.cs_context`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_control`*:: +*`rsa.misc.cs_control`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_data`*:: +*`rsa.misc.cs_data`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_datecret`*:: +*`rsa.misc.cs_datecret`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_dst_tld`*:: +*`rsa.misc.cs_dst_tld`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_eth_dst_ven`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_eth_src_ven`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_event_uuid`*:: +*`rsa.misc.cs_event_uuid`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_filetype`*:: +*`rsa.misc.cs_filetype`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_fld`*:: +*`rsa.misc.cs_fld`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_if_desc`*:: +*`rsa.misc.cs_if_desc`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_if_name`*:: +*`rsa.misc.cs_if_name`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_ip_next_hop`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_ipv4dstpre`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_ipv4srcpre`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_lifetime`*:: +*`rsa.misc.cs_lifetime`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_log_medium`*:: +*`rsa.misc.cs_log_medium`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_loginname`*:: +*`rsa.misc.cs_loginname`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_modulescore`*:: +*`rsa.misc.cs_modulescore`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_modulesign`*:: +*`rsa.misc.cs_modulesign`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_opswatresult`*:: +*`rsa.misc.cs_opswatresult`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_payload`*:: +*`rsa.misc.cs_payload`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_registrant`*:: +*`rsa.misc.cs_registrant`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_registrar`*:: +*`rsa.misc.cs_registrar`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_represult`*:: +*`rsa.misc.cs_represult`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_rpayload`*:: +*`rsa.misc.cs_rpayload`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_sampler_name`*:: +*`rsa.misc.cs_sampler_name`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_sourcemodule`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_streams`*:: +*`rsa.misc.cs_streams`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_targetmodule`*:: +*`rsa.misc.cs_targetmodule`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_v6nxthop`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_whois_server`*:: +*`rsa.misc.cs_whois_server`*:: + -- type: keyword -- -*`cisco.rsa.misc.cs_yararesult`*:: +*`rsa.misc.cs_yararesult`*:: + -- type: keyword -- -*`cisco.rsa.misc.description`*:: +*`rsa.misc.description`*:: + -- type: keyword -- -*`cisco.rsa.misc.devvendor`*:: +*`rsa.misc.devvendor`*:: + -- type: keyword -- -*`cisco.rsa.misc.distance`*:: +*`rsa.misc.distance`*:: + -- type: keyword -- -*`cisco.rsa.misc.dstburb`*:: +*`rsa.misc.dstburb`*:: + -- type: keyword -- -*`cisco.rsa.misc.edomain`*:: +*`rsa.misc.edomain`*:: + -- type: keyword -- -*`cisco.rsa.misc.edomaub`*:: +*`rsa.misc.edomaub`*:: + -- type: keyword -- -*`cisco.rsa.misc.euid`*:: +*`rsa.misc.euid`*:: + -- type: keyword -- -*`cisco.rsa.misc.facility`*:: +*`rsa.misc.facility`*:: + -- type: keyword -- -*`cisco.rsa.misc.finterface`*:: +*`rsa.misc.finterface`*:: + -- type: keyword -- -*`cisco.rsa.misc.flags`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`cisco.rsa.misc.gaddr`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`cisco.rsa.misc.id3`*:: +*`rsa.misc.id3`*:: + -- type: keyword -- -*`cisco.rsa.misc.im_buddyname`*:: +*`rsa.misc.im_buddyname`*:: + -- type: keyword -- -*`cisco.rsa.misc.im_croomid`*:: +*`rsa.misc.im_croomid`*:: + -- type: keyword -- -*`cisco.rsa.misc.im_croomtype`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`cisco.rsa.misc.im_members`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`cisco.rsa.misc.im_username`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`cisco.rsa.misc.ipkt`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`cisco.rsa.misc.ipscat`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`cisco.rsa.misc.ipspri`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`cisco.rsa.misc.latitude`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`cisco.rsa.misc.linenum`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`cisco.rsa.misc.list_name`*:: +*`rsa.misc.list_name`*:: + -- type: keyword -- -*`cisco.rsa.misc.load_data`*:: +*`rsa.misc.load_data`*:: + -- type: keyword -- -*`cisco.rsa.misc.location_floor`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`cisco.rsa.misc.location_mark`*:: +*`rsa.misc.location_mark`*:: + -- type: keyword -- -*`cisco.rsa.misc.log_id`*:: +*`rsa.misc.log_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.log_type`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`cisco.rsa.misc.logid`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`cisco.rsa.misc.logip`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`cisco.rsa.misc.logname`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`cisco.rsa.misc.longitude`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`cisco.rsa.misc.lport`*:: +*`rsa.misc.lport`*:: + -- type: keyword -- -*`cisco.rsa.misc.mbug_data`*:: +*`rsa.misc.mbug_data`*:: + -- type: keyword -- -*`cisco.rsa.misc.misc_name`*:: +*`rsa.misc.misc_name`*:: + -- type: keyword -- -*`cisco.rsa.misc.msg_type`*:: +*`rsa.misc.msg_type`*:: + -- type: keyword -- -*`cisco.rsa.misc.msgid`*:: +*`rsa.misc.msgid`*:: + -- type: keyword -- -*`cisco.rsa.misc.netsessid`*:: +*`rsa.misc.netsessid`*:: + -- type: keyword -- -*`cisco.rsa.misc.num`*:: +*`rsa.misc.num`*:: + -- type: keyword -- -*`cisco.rsa.misc.number1`*:: +*`rsa.misc.number1`*:: + -- type: keyword -- -*`cisco.rsa.misc.number2`*:: +*`rsa.misc.number2`*:: + -- type: keyword -- -*`cisco.rsa.misc.nwwn`*:: +*`rsa.misc.nwwn`*:: + -- type: keyword -- -*`cisco.rsa.misc.object`*:: +*`rsa.misc.object`*:: + -- type: keyword -- -*`cisco.rsa.misc.operation`*:: +*`rsa.misc.operation`*:: + -- type: keyword -- -*`cisco.rsa.misc.opkt`*:: +*`rsa.misc.opkt`*:: + -- type: keyword -- -*`cisco.rsa.misc.orig_from`*:: +*`rsa.misc.orig_from`*:: + -- type: keyword -- -*`cisco.rsa.misc.owner_id`*:: +*`rsa.misc.owner_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.p_action`*:: +*`rsa.misc.p_action`*:: + -- type: keyword -- -*`cisco.rsa.misc.p_filter`*:: +*`rsa.misc.p_filter`*:: + -- type: keyword -- -*`cisco.rsa.misc.p_group_object`*:: +*`rsa.misc.p_group_object`*:: + -- type: keyword -- -*`cisco.rsa.misc.p_id`*:: +*`rsa.misc.p_id`*:: + -- type: keyword -- -*`cisco.rsa.misc.p_msgid1`*:: +*`rsa.misc.p_msgid1`*:: + -- type: keyword -- -*`cisco.rsa.misc.p_msgid2`*:: +*`rsa.misc.p_msgid2`*:: + -- type: keyword -- -*`cisco.rsa.misc.p_result1`*:: +*`rsa.misc.p_result1`*:: + -- type: keyword -- -*`cisco.rsa.misc.password_chg`*:: +*`rsa.misc.password_chg`*:: + -- type: keyword -- -*`cisco.rsa.misc.password_expire`*:: +*`rsa.misc.password_expire`*:: + -- type: keyword -- -*`cisco.rsa.misc.permgranted`*:: +*`rsa.misc.permgranted`*:: + -- type: keyword -- -*`cisco.rsa.misc.permwanted`*:: +*`rsa.misc.permwanted`*:: + -- type: keyword -- -*`cisco.rsa.misc.pgid`*:: +*`rsa.misc.pgid`*:: + -- type: keyword -- -*`cisco.rsa.misc.policyUUID`*:: +*`rsa.misc.policyUUID`*:: + -- type: keyword -- -*`cisco.rsa.misc.prog_asp_num`*:: +*`rsa.misc.prog_asp_num`*:: + -- type: keyword -- -*`cisco.rsa.misc.program`*:: +*`rsa.misc.program`*:: + -- type: keyword -- -*`cisco.rsa.misc.real_data`*:: +*`rsa.misc.real_data`*:: + -- type: keyword -- -*`cisco.rsa.misc.rec_asp_device`*:: +*`rsa.misc.rec_asp_device`*:: + -- type: keyword -- -*`cisco.rsa.misc.rec_asp_num`*:: +*`rsa.misc.rec_asp_num`*:: + -- type: keyword -- -*`cisco.rsa.misc.rec_library`*:: +*`rsa.misc.rec_library`*:: + -- type: keyword -- -*`cisco.rsa.misc.recordnum`*:: +*`rsa.misc.recordnum`*:: + -- type: keyword -- -*`cisco.rsa.misc.ruid`*:: +*`rsa.misc.ruid`*:: + -- type: keyword -- -*`cisco.rsa.misc.sburb`*:: +*`rsa.misc.sburb`*:: + -- type: keyword -- -*`cisco.rsa.misc.sdomain_fld`*:: +*`rsa.misc.sdomain_fld`*:: + -- type: keyword -- -*`cisco.rsa.misc.sec`*:: +*`rsa.misc.sec`*:: + -- type: keyword -- -*`cisco.rsa.misc.sensorname`*:: +*`rsa.misc.sensorname`*:: + -- type: keyword -- -*`cisco.rsa.misc.seqnum`*:: +*`rsa.misc.seqnum`*:: + -- type: keyword -- -*`cisco.rsa.misc.session`*:: +*`rsa.misc.session`*:: + -- type: keyword -- -*`cisco.rsa.misc.sessiontype`*:: +*`rsa.misc.sessiontype`*:: + -- type: keyword -- -*`cisco.rsa.misc.sigUUID`*:: +*`rsa.misc.sigUUID`*:: + -- type: keyword -- -*`cisco.rsa.misc.spi`*:: +*`rsa.misc.spi`*:: + -- type: keyword -- -*`cisco.rsa.misc.srcburb`*:: +*`rsa.misc.srcburb`*:: + -- type: keyword -- -*`cisco.rsa.misc.srcdom`*:: +*`rsa.misc.srcdom`*:: + -- type: keyword -- -*`cisco.rsa.misc.srcservice`*:: +*`rsa.misc.srcservice`*:: + -- type: keyword -- -*`cisco.rsa.misc.state`*:: +*`rsa.misc.state`*:: + -- type: keyword -- -*`cisco.rsa.misc.status1`*:: +*`rsa.misc.status1`*:: + -- type: keyword -- -*`cisco.rsa.misc.svcno`*:: +*`rsa.misc.svcno`*:: + -- type: keyword -- -*`cisco.rsa.misc.system`*:: +*`rsa.misc.system`*:: + -- type: keyword -- -*`cisco.rsa.misc.tbdstr1`*:: +*`rsa.misc.tbdstr1`*:: + -- type: keyword -- -*`cisco.rsa.misc.tgtdom`*:: +*`rsa.misc.tgtdom`*:: + -- type: keyword -- -*`cisco.rsa.misc.tgtdomain`*:: +*`rsa.misc.tgtdomain`*:: + -- type: keyword -- -*`cisco.rsa.misc.threshold`*:: +*`rsa.misc.threshold`*:: + -- type: keyword -- -*`cisco.rsa.misc.type1`*:: +*`rsa.misc.type1`*:: + -- type: keyword -- -*`cisco.rsa.misc.udb_class`*:: +*`rsa.misc.udb_class`*:: + -- type: keyword -- -*`cisco.rsa.misc.url_fld`*:: +*`rsa.misc.url_fld`*:: + -- type: keyword -- -*`cisco.rsa.misc.user_div`*:: +*`rsa.misc.user_div`*:: + -- type: keyword -- -*`cisco.rsa.misc.userid`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`cisco.rsa.misc.username_fld`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`cisco.rsa.misc.utcstamp`*:: +*`rsa.misc.utcstamp`*:: + -- type: keyword -- -*`cisco.rsa.misc.v_instafname`*:: +*`rsa.misc.v_instafname`*:: + -- type: keyword -- -*`cisco.rsa.misc.virt_data`*:: +*`rsa.misc.virt_data`*:: + -- type: keyword -- -*`cisco.rsa.misc.vpnid`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`cisco.rsa.misc.autorun_type`*:: +*`rsa.misc.autorun_type`*:: + -- This is used to capture Auto Run type @@ -24495,7 +24488,7 @@ type: keyword -- -*`cisco.rsa.misc.cc_number`*:: +*`rsa.misc.cc_number`*:: + -- Valid Credit Card Numbers only @@ -24504,7 +24497,7 @@ type: long -- -*`cisco.rsa.misc.content`*:: +*`rsa.misc.content`*:: + -- This key captures the content type from protocol headers @@ -24513,7 +24506,7 @@ type: keyword -- -*`cisco.rsa.misc.ein_number`*:: +*`rsa.misc.ein_number`*:: + -- Employee Identification Numbers only @@ -24522,7 +24515,7 @@ type: long -- -*`cisco.rsa.misc.found`*:: +*`rsa.misc.found`*:: + -- This is used to capture the results of regex match @@ -24531,7 +24524,7 @@ type: keyword -- -*`cisco.rsa.misc.language`*:: +*`rsa.misc.language`*:: + -- This is used to capture list of languages the client support and what it prefers @@ -24540,7 +24533,7 @@ type: keyword -- -*`cisco.rsa.misc.lifetime`*:: +*`rsa.misc.lifetime`*:: + -- This key is used to capture the session lifetime in seconds. @@ -24549,7 +24542,7 @@ type: long -- -*`cisco.rsa.misc.link`*:: +*`rsa.misc.link`*:: + -- This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -24558,7 +24551,7 @@ type: keyword -- -*`cisco.rsa.misc.match`*:: +*`rsa.misc.match`*:: + -- This key is for regex match name from search.ini @@ -24567,7 +24560,7 @@ type: keyword -- -*`cisco.rsa.misc.param_dst`*:: +*`rsa.misc.param_dst`*:: + -- This key captures the command line/launch argument of the target process or file @@ -24576,7 +24569,7 @@ type: keyword -- -*`cisco.rsa.misc.param_src`*:: +*`rsa.misc.param_src`*:: + -- This key captures source parameter @@ -24585,7 +24578,7 @@ type: keyword -- -*`cisco.rsa.misc.search_text`*:: +*`rsa.misc.search_text`*:: + -- This key captures the Search Text used @@ -24594,7 +24587,7 @@ type: keyword -- -*`cisco.rsa.misc.sig_name`*:: +*`rsa.misc.sig_name`*:: + -- This key is used to capture the Signature Name only. @@ -24603,7 +24596,7 @@ type: keyword -- -*`cisco.rsa.misc.snmp_value`*:: +*`rsa.misc.snmp_value`*:: + -- SNMP set request value @@ -24612,7 +24605,7 @@ type: keyword -- -*`cisco.rsa.misc.streams`*:: +*`rsa.misc.streams`*:: + -- This key captures number of streams in session @@ -24622,7 +24615,7 @@ type: long -- -*`cisco.rsa.db.index`*:: +*`rsa.db.index`*:: + -- This key captures IndexID of the index. @@ -24631,7 +24624,7 @@ type: keyword -- -*`cisco.rsa.db.instance`*:: +*`rsa.db.instance`*:: + -- This key is used to capture the database server instance name @@ -24640,7 +24633,7 @@ type: keyword -- -*`cisco.rsa.db.database`*:: +*`rsa.db.database`*:: + -- This key is used to capture the name of a database or an instance as seen in a session @@ -24649,7 +24642,7 @@ type: keyword -- -*`cisco.rsa.db.transact_id`*:: +*`rsa.db.transact_id`*:: + -- This key captures the SQL transantion ID of the current session @@ -24658,7 +24651,7 @@ type: keyword -- -*`cisco.rsa.db.permissions`*:: +*`rsa.db.permissions`*:: + -- This key captures permission or privilege level assigned to a resource. @@ -24667,7 +24660,7 @@ type: keyword -- -*`cisco.rsa.db.table_name`*:: +*`rsa.db.table_name`*:: + -- This key is used to capture the table name @@ -24676,7 +24669,7 @@ type: keyword -- -*`cisco.rsa.db.db_id`*:: +*`rsa.db.db_id`*:: + -- This key is used to capture the unique identifier for a database @@ -24685,7 +24678,7 @@ type: keyword -- -*`cisco.rsa.db.db_pid`*:: +*`rsa.db.db_pid`*:: + -- This key captures the process id of a connection with database server @@ -24694,7 +24687,7 @@ type: long -- -*`cisco.rsa.db.lread`*:: +*`rsa.db.lread`*:: + -- This key is used for the number of logical reads @@ -24703,7 +24696,7 @@ type: long -- -*`cisco.rsa.db.lwrite`*:: +*`rsa.db.lwrite`*:: + -- This key is used for the number of logical writes @@ -24712,7 +24705,7 @@ type: long -- -*`cisco.rsa.db.pread`*:: +*`rsa.db.pread`*:: + -- This key is used for the number of physical writes @@ -24722,7 +24715,7 @@ type: long -- -*`cisco.rsa.network.alias_host`*:: +*`rsa.network.alias_host`*:: + -- This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. @@ -24731,14 +24724,14 @@ type: keyword -- -*`cisco.rsa.network.domain`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`cisco.rsa.network.host_dst`*:: +*`rsa.network.host_dst`*:: + -- This key should only be used when it’s a Destination Hostname @@ -24747,7 +24740,7 @@ type: keyword -- -*`cisco.rsa.network.network_service`*:: +*`rsa.network.network_service`*:: + -- This is used to capture layer 7 protocols/service names @@ -24756,7 +24749,7 @@ type: keyword -- -*`cisco.rsa.network.interface`*:: +*`rsa.network.interface`*:: + -- This key should be used when the source or destination context of an interface is not clear @@ -24765,7 +24758,7 @@ type: keyword -- -*`cisco.rsa.network.network_port`*:: +*`rsa.network.network_port`*:: + -- Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) @@ -24774,7 +24767,7 @@ type: long -- -*`cisco.rsa.network.eth_host`*:: +*`rsa.network.eth_host`*:: + -- Deprecated, use alias.mac @@ -24783,7 +24776,7 @@ type: keyword -- -*`cisco.rsa.network.sinterface`*:: +*`rsa.network.sinterface`*:: + -- This key should only be used when it’s a Source Interface @@ -24792,7 +24785,7 @@ type: keyword -- -*`cisco.rsa.network.dinterface`*:: +*`rsa.network.dinterface`*:: + -- This key should only be used when it’s a Destination Interface @@ -24801,7 +24794,7 @@ type: keyword -- -*`cisco.rsa.network.vlan`*:: +*`rsa.network.vlan`*:: + -- This key should only be used to capture the ID of the Virtual LAN @@ -24810,7 +24803,7 @@ type: long -- -*`cisco.rsa.network.zone_src`*:: +*`rsa.network.zone_src`*:: + -- This key should only be used when it’s a Source Zone. @@ -24819,7 +24812,7 @@ type: keyword -- -*`cisco.rsa.network.zone`*:: +*`rsa.network.zone`*:: + -- This key should be used when the source or destination context of a Zone is not clear @@ -24828,7 +24821,7 @@ type: keyword -- -*`cisco.rsa.network.zone_dst`*:: +*`rsa.network.zone_dst`*:: + -- This key should only be used when it’s a Destination Zone. @@ -24837,7 +24830,7 @@ type: keyword -- -*`cisco.rsa.network.gateway`*:: +*`rsa.network.gateway`*:: + -- This key is used to capture the IP Address of the gateway @@ -24846,7 +24839,7 @@ type: keyword -- -*`cisco.rsa.network.icmp_type`*:: +*`rsa.network.icmp_type`*:: + -- This key is used to capture the ICMP type only @@ -24855,7 +24848,7 @@ type: long -- -*`cisco.rsa.network.mask`*:: +*`rsa.network.mask`*:: + -- This key is used to capture the device network IPmask. @@ -24864,7 +24857,7 @@ type: keyword -- -*`cisco.rsa.network.icmp_code`*:: +*`rsa.network.icmp_code`*:: + -- This key is used to capture the ICMP code only @@ -24873,7 +24866,7 @@ type: long -- -*`cisco.rsa.network.protocol_detail`*:: +*`rsa.network.protocol_detail`*:: + -- This key should be used to capture additional protocol information @@ -24882,7 +24875,7 @@ type: keyword -- -*`cisco.rsa.network.dmask`*:: +*`rsa.network.dmask`*:: + -- This key is used for Destionation Device network mask @@ -24891,7 +24884,7 @@ type: keyword -- -*`cisco.rsa.network.port`*:: +*`rsa.network.port`*:: + -- This key should only be used to capture a Network Port when the directionality is not clear @@ -24900,7 +24893,7 @@ type: long -- -*`cisco.rsa.network.smask`*:: +*`rsa.network.smask`*:: + -- This key is used for capturing source Network Mask @@ -24909,7 +24902,7 @@ type: keyword -- -*`cisco.rsa.network.netname`*:: +*`rsa.network.netname`*:: + -- This key is used to capture the network name associated with an IP range. This is configured by the end user. @@ -24918,7 +24911,7 @@ type: keyword -- -*`cisco.rsa.network.paddr`*:: +*`rsa.network.paddr`*:: + -- Deprecated @@ -24927,91 +24920,91 @@ type: ip -- -*`cisco.rsa.network.faddr`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`cisco.rsa.network.lhost`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`cisco.rsa.network.origin`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`cisco.rsa.network.remote_domain_id`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`cisco.rsa.network.addr`*:: +*`rsa.network.addr`*:: + -- type: keyword -- -*`cisco.rsa.network.dns_a_record`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`cisco.rsa.network.dns_ptr_record`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`cisco.rsa.network.fhost`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`cisco.rsa.network.fport`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`cisco.rsa.network.laddr`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`cisco.rsa.network.linterface`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`cisco.rsa.network.phost`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`cisco.rsa.network.ad_computer_dst`*:: +*`rsa.network.ad_computer_dst`*:: + -- Deprecated, use host.dst @@ -25020,7 +25013,7 @@ type: keyword -- -*`cisco.rsa.network.eth_type`*:: +*`rsa.network.eth_type`*:: + -- This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only @@ -25029,7 +25022,7 @@ type: long -- -*`cisco.rsa.network.ip_proto`*:: +*`rsa.network.ip_proto`*:: + -- This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI @@ -25038,63 +25031,63 @@ type: long -- -*`cisco.rsa.network.dns_cname_record`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`cisco.rsa.network.dns_id`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`cisco.rsa.network.dns_opcode`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`cisco.rsa.network.dns_resp`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`cisco.rsa.network.dns_type`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`cisco.rsa.network.domain1`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`cisco.rsa.network.host_type`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`cisco.rsa.network.packet_length`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`cisco.rsa.network.host_orig`*:: +*`rsa.network.host_orig`*:: + -- This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. @@ -25103,7 +25096,7 @@ type: keyword -- -*`cisco.rsa.network.rpayload`*:: +*`rsa.network.rpayload`*:: + -- This key is used to capture the total number of payload bytes seen in the retransmitted packets. @@ -25112,7 +25105,7 @@ type: keyword -- -*`cisco.rsa.network.vlan_name`*:: +*`rsa.network.vlan_name`*:: + -- This key should only be used to capture the name of the Virtual LAN @@ -25122,7 +25115,7 @@ type: keyword -- -*`cisco.rsa.investigations.ec_activity`*:: +*`rsa.investigations.ec_activity`*:: + -- This key captures the particular event activity(Ex:Logoff) @@ -25131,7 +25124,7 @@ type: keyword -- -*`cisco.rsa.investigations.ec_theme`*:: +*`rsa.investigations.ec_theme`*:: + -- This key captures the Theme of a particular Event(Ex:Authentication) @@ -25140,7 +25133,7 @@ type: keyword -- -*`cisco.rsa.investigations.ec_subject`*:: +*`rsa.investigations.ec_subject`*:: + -- This key captures the Subject of a particular Event(Ex:User) @@ -25149,7 +25142,7 @@ type: keyword -- -*`cisco.rsa.investigations.ec_outcome`*:: +*`rsa.investigations.ec_outcome`*:: + -- This key captures the outcome of a particular Event(Ex:Success) @@ -25158,7 +25151,7 @@ type: keyword -- -*`cisco.rsa.investigations.event_cat`*:: +*`rsa.investigations.event_cat`*:: + -- This key captures the Event category number @@ -25167,7 +25160,7 @@ type: long -- -*`cisco.rsa.investigations.event_cat_name`*:: +*`rsa.investigations.event_cat_name`*:: + -- This key captures the event category name corresponding to the event cat code @@ -25176,7 +25169,7 @@ type: keyword -- -*`cisco.rsa.investigations.event_vcat`*:: +*`rsa.investigations.event_vcat`*:: + -- This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. @@ -25185,7 +25178,7 @@ type: keyword -- -*`cisco.rsa.investigations.analysis_file`*:: +*`rsa.investigations.analysis_file`*:: + -- This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file @@ -25194,7 +25187,7 @@ type: keyword -- -*`cisco.rsa.investigations.analysis_service`*:: +*`rsa.investigations.analysis_service`*:: + -- This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service @@ -25203,7 +25196,7 @@ type: keyword -- -*`cisco.rsa.investigations.analysis_session`*:: +*`rsa.investigations.analysis_session`*:: + -- This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session @@ -25212,7 +25205,7 @@ type: keyword -- -*`cisco.rsa.investigations.boc`*:: +*`rsa.investigations.boc`*:: + -- This is used to capture behaviour of compromise @@ -25221,7 +25214,7 @@ type: keyword -- -*`cisco.rsa.investigations.eoc`*:: +*`rsa.investigations.eoc`*:: + -- This is used to capture Enablers of Compromise @@ -25230,7 +25223,7 @@ type: keyword -- -*`cisco.rsa.investigations.inv_category`*:: +*`rsa.investigations.inv_category`*:: + -- This used to capture investigation category @@ -25239,7 +25232,7 @@ type: keyword -- -*`cisco.rsa.investigations.inv_context`*:: +*`rsa.investigations.inv_context`*:: + -- This used to capture investigation context @@ -25248,7 +25241,7 @@ type: keyword -- -*`cisco.rsa.investigations.ioc`*:: +*`rsa.investigations.ioc`*:: + -- This is key capture indicator of compromise @@ -25258,7 +25251,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_c1`*:: +*`rsa.counters.dclass_c1`*:: + -- This is a generic counter key that should be used with the label dclass.c1.str only @@ -25267,7 +25260,7 @@ type: long -- -*`cisco.rsa.counters.dclass_c2`*:: +*`rsa.counters.dclass_c2`*:: + -- This is a generic counter key that should be used with the label dclass.c2.str only @@ -25276,7 +25269,7 @@ type: long -- -*`cisco.rsa.counters.event_counter`*:: +*`rsa.counters.event_counter`*:: + -- This is used to capture the number of times an event repeated @@ -25285,7 +25278,7 @@ type: long -- -*`cisco.rsa.counters.dclass_r1`*:: +*`rsa.counters.dclass_r1`*:: + -- This is a generic ratio key that should be used with the label dclass.r1.str only @@ -25294,7 +25287,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_c3`*:: +*`rsa.counters.dclass_c3`*:: + -- This is a generic counter key that should be used with the label dclass.c3.str only @@ -25303,7 +25296,7 @@ type: long -- -*`cisco.rsa.counters.dclass_c1_str`*:: +*`rsa.counters.dclass_c1_str`*:: + -- This is a generic counter string key that should be used with the label dclass.c1 only @@ -25312,7 +25305,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_c2_str`*:: +*`rsa.counters.dclass_c2_str`*:: + -- This is a generic counter string key that should be used with the label dclass.c2 only @@ -25321,7 +25314,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_r1_str`*:: +*`rsa.counters.dclass_r1_str`*:: + -- This is a generic ratio string key that should be used with the label dclass.r1 only @@ -25330,7 +25323,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_r2`*:: +*`rsa.counters.dclass_r2`*:: + -- This is a generic ratio key that should be used with the label dclass.r2.str only @@ -25339,7 +25332,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_c3_str`*:: +*`rsa.counters.dclass_c3_str`*:: + -- This is a generic counter string key that should be used with the label dclass.c3 only @@ -25348,7 +25341,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_r3`*:: +*`rsa.counters.dclass_r3`*:: + -- This is a generic ratio key that should be used with the label dclass.r3.str only @@ -25357,7 +25350,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_r2_str`*:: +*`rsa.counters.dclass_r2_str`*:: + -- This is a generic ratio string key that should be used with the label dclass.r2 only @@ -25366,7 +25359,7 @@ type: keyword -- -*`cisco.rsa.counters.dclass_r3_str`*:: +*`rsa.counters.dclass_r3_str`*:: + -- This is a generic ratio string key that should be used with the label dclass.r3 only @@ -25376,7 +25369,7 @@ type: keyword -- -*`cisco.rsa.identity.auth_method`*:: +*`rsa.identity.auth_method`*:: + -- This key is used to capture authentication methods used only @@ -25385,7 +25378,7 @@ type: keyword -- -*`cisco.rsa.identity.user_role`*:: +*`rsa.identity.user_role`*:: + -- This key is used to capture the Role of a user only @@ -25394,7 +25387,7 @@ type: keyword -- -*`cisco.rsa.identity.dn`*:: +*`rsa.identity.dn`*:: + -- X.500 (LDAP) Distinguished Name @@ -25403,7 +25396,7 @@ type: keyword -- -*`cisco.rsa.identity.logon_type`*:: +*`rsa.identity.logon_type`*:: + -- This key is used to capture the type of logon method used. @@ -25412,7 +25405,7 @@ type: keyword -- -*`cisco.rsa.identity.profile`*:: +*`rsa.identity.profile`*:: + -- This key is used to capture the user profile @@ -25421,7 +25414,7 @@ type: keyword -- -*`cisco.rsa.identity.accesses`*:: +*`rsa.identity.accesses`*:: + -- This key is used to capture actual privileges used in accessing an object @@ -25430,7 +25423,7 @@ type: keyword -- -*`cisco.rsa.identity.realm`*:: +*`rsa.identity.realm`*:: + -- Radius realm or similar grouping of accounts @@ -25439,7 +25432,7 @@ type: keyword -- -*`cisco.rsa.identity.user_sid_dst`*:: +*`rsa.identity.user_sid_dst`*:: + -- This key captures Destination User Session ID @@ -25448,7 +25441,7 @@ type: keyword -- -*`cisco.rsa.identity.dn_src`*:: +*`rsa.identity.dn_src`*:: + -- An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn @@ -25457,7 +25450,7 @@ type: keyword -- -*`cisco.rsa.identity.org`*:: +*`rsa.identity.org`*:: + -- This key captures the User organization @@ -25466,7 +25459,7 @@ type: keyword -- -*`cisco.rsa.identity.dn_dst`*:: +*`rsa.identity.dn_dst`*:: + -- An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn @@ -25475,7 +25468,7 @@ type: keyword -- -*`cisco.rsa.identity.firstname`*:: +*`rsa.identity.firstname`*:: + -- This key is for First Names only, this is used for Healthcare predominantly to capture Patients information @@ -25484,7 +25477,7 @@ type: keyword -- -*`cisco.rsa.identity.lastname`*:: +*`rsa.identity.lastname`*:: + -- This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information @@ -25493,7 +25486,7 @@ type: keyword -- -*`cisco.rsa.identity.user_dept`*:: +*`rsa.identity.user_dept`*:: + -- User's Department Names only @@ -25502,7 +25495,7 @@ type: keyword -- -*`cisco.rsa.identity.user_sid_src`*:: +*`rsa.identity.user_sid_src`*:: + -- This key captures Source User Session ID @@ -25511,7 +25504,7 @@ type: keyword -- -*`cisco.rsa.identity.federated_sp`*:: +*`rsa.identity.federated_sp`*:: + -- This key is the Federated Service Provider. This is the application requesting authentication. @@ -25520,7 +25513,7 @@ type: keyword -- -*`cisco.rsa.identity.federated_idp`*:: +*`rsa.identity.federated_idp`*:: + -- This key is the federated Identity Provider. This is the server providing the authentication. @@ -25529,7 +25522,7 @@ type: keyword -- -*`cisco.rsa.identity.logon_type_desc`*:: +*`rsa.identity.logon_type_desc`*:: + -- This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. @@ -25538,7 +25531,7 @@ type: keyword -- -*`cisco.rsa.identity.middlename`*:: +*`rsa.identity.middlename`*:: + -- This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information @@ -25547,7 +25540,7 @@ type: keyword -- -*`cisco.rsa.identity.password`*:: +*`rsa.identity.password`*:: + -- This key is for Passwords seen in any session, plain text or encrypted @@ -25556,7 +25549,7 @@ type: keyword -- -*`cisco.rsa.identity.host_role`*:: +*`rsa.identity.host_role`*:: + -- This key should only be used to capture the role of a Host Machine @@ -25565,7 +25558,7 @@ type: keyword -- -*`cisco.rsa.identity.ldap`*:: +*`rsa.identity.ldap`*:: + -- This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context @@ -25574,7 +25567,7 @@ type: keyword -- -*`cisco.rsa.identity.ldap_query`*:: +*`rsa.identity.ldap_query`*:: + -- This key is the Search criteria from an LDAP search @@ -25583,7 +25576,7 @@ type: keyword -- -*`cisco.rsa.identity.ldap_response`*:: +*`rsa.identity.ldap_response`*:: + -- This key is to capture Results from an LDAP search @@ -25592,7 +25585,7 @@ type: keyword -- -*`cisco.rsa.identity.owner`*:: +*`rsa.identity.owner`*:: + -- This is used to capture username the process or service is running as, the author of the task @@ -25601,7 +25594,7 @@ type: keyword -- -*`cisco.rsa.identity.service_account`*:: +*`rsa.identity.service_account`*:: + -- This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage @@ -25611,7 +25604,7 @@ type: keyword -- -*`cisco.rsa.email.email_dst`*:: +*`rsa.email.email_dst`*:: + -- This key is used to capture the Destination email address only, when the destination context is not clear use email @@ -25620,7 +25613,7 @@ type: keyword -- -*`cisco.rsa.email.email_src`*:: +*`rsa.email.email_src`*:: + -- This key is used to capture the source email address only, when the source context is not clear use email @@ -25629,7 +25622,7 @@ type: keyword -- -*`cisco.rsa.email.subject`*:: +*`rsa.email.subject`*:: + -- This key is used to capture the subject string from an Email only. @@ -25638,7 +25631,7 @@ type: keyword -- -*`cisco.rsa.email.email`*:: +*`rsa.email.email`*:: + -- This key is used to capture a generic email address where the source or destination context is not clear @@ -25647,7 +25640,7 @@ type: keyword -- -*`cisco.rsa.email.trans_from`*:: +*`rsa.email.trans_from`*:: + -- Deprecated key defined only in table map. @@ -25656,7 +25649,7 @@ type: keyword -- -*`cisco.rsa.email.trans_to`*:: +*`rsa.email.trans_to`*:: + -- Deprecated key defined only in table map. @@ -25666,7 +25659,7 @@ type: keyword -- -*`cisco.rsa.file.privilege`*:: +*`rsa.file.privilege`*:: + -- Deprecated, use permissions @@ -25675,7 +25668,7 @@ type: keyword -- -*`cisco.rsa.file.attachment`*:: +*`rsa.file.attachment`*:: + -- This key captures the attachment file name @@ -25684,14 +25677,14 @@ type: keyword -- -*`cisco.rsa.file.filesystem`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`cisco.rsa.file.binary`*:: +*`rsa.file.binary`*:: + -- Deprecated key defined only in table map. @@ -25700,7 +25693,7 @@ type: keyword -- -*`cisco.rsa.file.filename_dst`*:: +*`rsa.file.filename_dst`*:: + -- This is used to capture name of the file targeted by the action @@ -25709,7 +25702,7 @@ type: keyword -- -*`cisco.rsa.file.filename_src`*:: +*`rsa.file.filename_src`*:: + -- This is used to capture name of the parent filename, the file which performed the action @@ -25718,14 +25711,14 @@ type: keyword -- -*`cisco.rsa.file.filename_tmp`*:: +*`rsa.file.filename_tmp`*:: + -- type: keyword -- -*`cisco.rsa.file.directory_dst`*:: +*`rsa.file.directory_dst`*:: + -- This key is used to capture the directory of the target process or file @@ -25734,7 +25727,7 @@ type: keyword -- -*`cisco.rsa.file.directory_src`*:: +*`rsa.file.directory_src`*:: + -- This key is used to capture the directory of the source process or file @@ -25743,7 +25736,7 @@ type: keyword -- -*`cisco.rsa.file.file_entropy`*:: +*`rsa.file.file_entropy`*:: + -- This is used to capture entropy vale of a file @@ -25752,7 +25745,7 @@ type: double -- -*`cisco.rsa.file.file_vendor`*:: +*`rsa.file.file_vendor`*:: + -- This is used to capture Company name of file located in version_info @@ -25761,7 +25754,7 @@ type: keyword -- -*`cisco.rsa.file.task_name`*:: +*`rsa.file.task_name`*:: + -- This is used to capture name of the task @@ -25771,7 +25764,7 @@ type: keyword -- -*`cisco.rsa.web.fqdn`*:: +*`rsa.web.fqdn`*:: + -- Fully Qualified Domain Names @@ -25780,7 +25773,7 @@ type: keyword -- -*`cisco.rsa.web.web_cookie`*:: +*`rsa.web.web_cookie`*:: + -- This key is used to capture the Web cookies specifically. @@ -25789,14 +25782,14 @@ type: keyword -- -*`cisco.rsa.web.alias_host`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`cisco.rsa.web.reputation_num`*:: +*`rsa.web.reputation_num`*:: + -- Reputation Number of an entity. Typically used for Web Domains @@ -25805,7 +25798,7 @@ type: double -- -*`cisco.rsa.web.web_ref_domain`*:: +*`rsa.web.web_ref_domain`*:: + -- Web referer's domain @@ -25814,7 +25807,7 @@ type: keyword -- -*`cisco.rsa.web.web_ref_query`*:: +*`rsa.web.web_ref_query`*:: + -- This key captures Web referer's query portion of the URL @@ -25823,14 +25816,14 @@ type: keyword -- -*`cisco.rsa.web.remote_domain`*:: +*`rsa.web.remote_domain`*:: + -- type: keyword -- -*`cisco.rsa.web.web_ref_page`*:: +*`rsa.web.web_ref_page`*:: + -- This key captures Web referer's page information @@ -25839,7 +25832,7 @@ type: keyword -- -*`cisco.rsa.web.web_ref_root`*:: +*`rsa.web.web_ref_root`*:: + -- Web referer's root URL path @@ -25848,77 +25841,77 @@ type: keyword -- -*`cisco.rsa.web.cn_asn_dst`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`cisco.rsa.web.cn_rpackets`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`cisco.rsa.web.urlpage`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`cisco.rsa.web.urlroot`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`cisco.rsa.web.p_url`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`cisco.rsa.web.p_user_agent`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`cisco.rsa.web.p_web_cookie`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`cisco.rsa.web.p_web_method`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`cisco.rsa.web.p_web_referer`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`cisco.rsa.web.web_extension_tmp`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`cisco.rsa.web.web_page`*:: +*`rsa.web.web_page`*:: + -- type: keyword @@ -25926,7 +25919,7 @@ type: keyword -- -*`cisco.rsa.threat.threat_category`*:: +*`rsa.threat.threat_category`*:: + -- This key captures Threat Name/Threat Category/Categorization of alert @@ -25935,7 +25928,7 @@ type: keyword -- -*`cisco.rsa.threat.threat_desc`*:: +*`rsa.threat.threat_desc`*:: + -- This key is used to capture the threat description from the session directly or inferred @@ -25944,7 +25937,7 @@ type: keyword -- -*`cisco.rsa.threat.alert`*:: +*`rsa.threat.alert`*:: + -- This key is used to capture name of the alert @@ -25953,7 +25946,7 @@ type: keyword -- -*`cisco.rsa.threat.threat_source`*:: +*`rsa.threat.threat_source`*:: + -- This key is used to capture source of the threat @@ -25963,7 +25956,7 @@ type: keyword -- -*`cisco.rsa.crypto.crypto`*:: +*`rsa.crypto.crypto`*:: + -- This key is used to capture the Encryption Type or Encryption Key only @@ -25972,7 +25965,7 @@ type: keyword -- -*`cisco.rsa.crypto.cipher_src`*:: +*`rsa.crypto.cipher_src`*:: + -- This key is for Source (Client) Cipher @@ -25981,7 +25974,7 @@ type: keyword -- -*`cisco.rsa.crypto.cert_subject`*:: +*`rsa.crypto.cert_subject`*:: + -- This key is used to capture the Certificate organization only @@ -25990,7 +25983,7 @@ type: keyword -- -*`cisco.rsa.crypto.peer`*:: +*`rsa.crypto.peer`*:: + -- This key is for Encryption peer's IP Address @@ -25999,7 +25992,7 @@ type: keyword -- -*`cisco.rsa.crypto.cipher_size_src`*:: +*`rsa.crypto.cipher_size_src`*:: + -- This key captures Source (Client) Cipher Size @@ -26008,7 +26001,7 @@ type: long -- -*`cisco.rsa.crypto.ike`*:: +*`rsa.crypto.ike`*:: + -- IKE negotiation phase. @@ -26017,7 +26010,7 @@ type: keyword -- -*`cisco.rsa.crypto.scheme`*:: +*`rsa.crypto.scheme`*:: + -- This key captures the Encryption scheme used @@ -26026,7 +26019,7 @@ type: keyword -- -*`cisco.rsa.crypto.peer_id`*:: +*`rsa.crypto.peer_id`*:: + -- This key is for Encryption peer’s identity @@ -26035,7 +26028,7 @@ type: keyword -- -*`cisco.rsa.crypto.sig_type`*:: +*`rsa.crypto.sig_type`*:: + -- This key captures the Signature Type @@ -26044,14 +26037,14 @@ type: keyword -- -*`cisco.rsa.crypto.cert_issuer`*:: +*`rsa.crypto.cert_issuer`*:: + -- type: keyword -- -*`cisco.rsa.crypto.cert_host_name`*:: +*`rsa.crypto.cert_host_name`*:: + -- Deprecated key defined only in table map. @@ -26060,7 +26053,7 @@ type: keyword -- -*`cisco.rsa.crypto.cert_error`*:: +*`rsa.crypto.cert_error`*:: + -- This key captures the Certificate Error String @@ -26069,7 +26062,7 @@ type: keyword -- -*`cisco.rsa.crypto.cipher_dst`*:: +*`rsa.crypto.cipher_dst`*:: + -- This key is for Destination (Server) Cipher @@ -26078,7 +26071,7 @@ type: keyword -- -*`cisco.rsa.crypto.cipher_size_dst`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- This key captures Destination (Server) Cipher Size @@ -26087,7 +26080,7 @@ type: long -- -*`cisco.rsa.crypto.ssl_ver_src`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- Deprecated, use version @@ -26096,21 +26089,21 @@ type: keyword -- -*`cisco.rsa.crypto.d_certauth`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- -*`cisco.rsa.crypto.s_certauth`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`cisco.rsa.crypto.ike_cookie1`*:: +*`rsa.crypto.ike_cookie1`*:: + -- ID of the negotiation — sent for ISAKMP Phase One @@ -26119,7 +26112,7 @@ type: keyword -- -*`cisco.rsa.crypto.ike_cookie2`*:: +*`rsa.crypto.ike_cookie2`*:: + -- ID of the negotiation — sent for ISAKMP Phase Two @@ -26128,14 +26121,14 @@ type: keyword -- -*`cisco.rsa.crypto.cert_checksum`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`cisco.rsa.crypto.cert_host_cat`*:: +*`rsa.crypto.cert_host_cat`*:: + -- This key is used for the hostname category value of a certificate @@ -26144,7 +26137,7 @@ type: keyword -- -*`cisco.rsa.crypto.cert_serial`*:: +*`rsa.crypto.cert_serial`*:: + -- This key is used to capture the Certificate serial number only @@ -26153,7 +26146,7 @@ type: keyword -- -*`cisco.rsa.crypto.cert_status`*:: +*`rsa.crypto.cert_status`*:: + -- This key captures Certificate validation status @@ -26162,7 +26155,7 @@ type: keyword -- -*`cisco.rsa.crypto.ssl_ver_dst`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- Deprecated, use version @@ -26171,35 +26164,35 @@ type: keyword -- -*`cisco.rsa.crypto.cert_keysize`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`cisco.rsa.crypto.cert_username`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`cisco.rsa.crypto.https_insact`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`cisco.rsa.crypto.https_valid`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`cisco.rsa.crypto.cert_ca`*:: +*`rsa.crypto.cert_ca`*:: + -- This key is used to capture the Certificate signing authority only @@ -26208,7 +26201,7 @@ type: keyword -- -*`cisco.rsa.crypto.cert_common`*:: +*`rsa.crypto.cert_common`*:: + -- This key is used to capture the Certificate common name only @@ -26218,7 +26211,7 @@ type: keyword -- -*`cisco.rsa.wireless.wlan_ssid`*:: +*`rsa.wireless.wlan_ssid`*:: + -- This key is used to capture the ssid of a Wireless Session @@ -26227,7 +26220,7 @@ type: keyword -- -*`cisco.rsa.wireless.access_point`*:: +*`rsa.wireless.access_point`*:: + -- This key is used to capture the access point name. @@ -26236,7 +26229,7 @@ type: keyword -- -*`cisco.rsa.wireless.wlan_channel`*:: +*`rsa.wireless.wlan_channel`*:: + -- This is used to capture the channel names @@ -26245,7 +26238,7 @@ type: long -- -*`cisco.rsa.wireless.wlan_name`*:: +*`rsa.wireless.wlan_name`*:: + -- This key captures either WLAN number/name @@ -26255,7 +26248,7 @@ type: keyword -- -*`cisco.rsa.storage.disk_volume`*:: +*`rsa.storage.disk_volume`*:: + -- A unique name assigned to logical units (volumes) within a physical disk @@ -26264,7 +26257,7 @@ type: keyword -- -*`cisco.rsa.storage.lun`*:: +*`rsa.storage.lun`*:: + -- Logical Unit Number.This key is a very useful concept in Storage. @@ -26273,7 +26266,7 @@ type: keyword -- -*`cisco.rsa.storage.pwwn`*:: +*`rsa.storage.pwwn`*:: + -- This uniquely identifies a port on a HBA. @@ -26283,7 +26276,7 @@ type: keyword -- -*`cisco.rsa.physical.org_dst`*:: +*`rsa.physical.org_dst`*:: + -- This is used to capture the destination organization based on the GEOPIP Maxmind database. @@ -26292,7 +26285,7 @@ type: keyword -- -*`cisco.rsa.physical.org_src`*:: +*`rsa.physical.org_src`*:: + -- This is used to capture the source organization based on the GEOPIP Maxmind database. @@ -26302,7 +26295,7 @@ type: keyword -- -*`cisco.rsa.healthcare.patient_fname`*:: +*`rsa.healthcare.patient_fname`*:: + -- This key is for First Names only, this is used for Healthcare predominantly to capture Patients information @@ -26311,7 +26304,7 @@ type: keyword -- -*`cisco.rsa.healthcare.patient_id`*:: +*`rsa.healthcare.patient_id`*:: + -- This key captures the unique ID for a patient @@ -26320,7 +26313,7 @@ type: keyword -- -*`cisco.rsa.healthcare.patient_lname`*:: +*`rsa.healthcare.patient_lname`*:: + -- This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information @@ -26329,7 +26322,7 @@ type: keyword -- -*`cisco.rsa.healthcare.patient_mname`*:: +*`rsa.healthcare.patient_mname`*:: + -- This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information @@ -26339,7 +26332,7 @@ type: keyword -- -*`cisco.rsa.endpoint.host_state`*:: +*`rsa.endpoint.host_state`*:: + -- This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on @@ -26348,7 +26341,7 @@ type: keyword -- -*`cisco.rsa.endpoint.registry_key`*:: +*`rsa.endpoint.registry_key`*:: + -- This key captures the path to the registry key @@ -26357,7 +26350,7 @@ type: keyword -- -*`cisco.rsa.endpoint.registry_value`*:: +*`rsa.endpoint.registry_value`*:: + -- This key captures values or decorators used within a registry entry @@ -32022,7 +32015,7 @@ Meta data fields for each event that include type and timestamp. *`crowdstrike.metadata.eventType`*:: + -- -DetectionSummaryEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent +DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent type: keyword @@ -32202,6 +32195,16 @@ type: keyword Executable path with command line arguments. +type: keyword + +-- + +*`crowdstrike.event.SHA1String`*:: ++ +-- +SHA1 sum of the executable associated with the detection. + + type: keyword -- @@ -32452,6 +32455,16 @@ type: date Fields that were changed in this event. +type: nested + +-- + +*`crowdstrike.event.ExecutablesWritten`*:: ++ +-- +Detected executables written to disk by a process. + + type: nested -- @@ -32496,6 +32509,406 @@ type: date -- +*`crowdstrike.event.LateralMovement`*:: ++ +-- +Lateral movement field for incident. + + +type: long + +-- + +*`crowdstrike.event.ParentImageFileName`*:: ++ +-- +Path to the parent process. + + +type: keyword + +-- + +*`crowdstrike.event.ParentCommandLine`*:: ++ +-- +Parent process command line arguments. + + +type: keyword + +-- + +*`crowdstrike.event.GrandparentImageFileName`*:: ++ +-- +Path to the grandparent process. + + +type: keyword + +-- + +*`crowdstrike.event.GrandparentCommandLine`*:: ++ +-- +Grandparent process command line arguments. + + +type: keyword + +-- + +*`crowdstrike.event.IOCType`*:: ++ +-- +CrowdStrike type for indicator of compromise. + + +type: keyword + +-- + +*`crowdstrike.event.IOCValue`*:: ++ +-- +CrowdStrike value for indicator of compromise. + + +type: keyword + +-- + +*`crowdstrike.event.CustomerId`*:: ++ +-- +Customer identifier. + + +type: keyword + +-- + +*`crowdstrike.event.DeviceId`*:: ++ +-- +Device on which the event occurred. + + +type: keyword + +-- + +*`crowdstrike.event.Ipv`*:: ++ +-- +Protocol for network request. + + +type: keyword + +-- + +*`crowdstrike.event.ConnectionDirection`*:: ++ +-- +Direction for network connection. + + +type: keyword + +-- + +*`crowdstrike.event.EventType`*:: ++ +-- +CrowdStrike provided event type. + + +type: keyword + +-- + +*`crowdstrike.event.HostName`*:: ++ +-- +Host name of the local machine. + + +type: keyword + +-- + +*`crowdstrike.event.ICMPCode`*:: ++ +-- +RFC2780 ICMP Code field. + + +type: keyword + +-- + +*`crowdstrike.event.ICMPType`*:: ++ +-- +RFC2780 ICMP Type field. + + +type: keyword + +-- + +*`crowdstrike.event.ImageFileName`*:: ++ +-- +File name of the associated process for the detection. + + +type: keyword + +-- + +*`crowdstrike.event.PID`*:: ++ +-- +Associated process id for the detection. + + +type: long + +-- + +*`crowdstrike.event.LocalAddress`*:: ++ +-- +IP address of local machine. + + +type: ip + +-- + +*`crowdstrike.event.LocalPort`*:: ++ +-- +Port of local machine. + + +type: long + +-- + +*`crowdstrike.event.RemoteAddress`*:: ++ +-- +IP address of remote machine. + + +type: ip + +-- + +*`crowdstrike.event.RemotePort`*:: ++ +-- +Port of remote machine. + + +type: long + +-- + +*`crowdstrike.event.RuleAction`*:: ++ +-- +Firewall rule action. + + +type: keyword + +-- + +*`crowdstrike.event.RuleDescription`*:: ++ +-- +Firewall rule description. + + +type: keyword + +-- + +*`crowdstrike.event.RuleFamilyID`*:: ++ +-- +Firewall rule family id. + + +type: keyword + +-- + +*`crowdstrike.event.RuleGroupName`*:: ++ +-- +Firewall rule group name. + + +type: keyword + +-- + +*`crowdstrike.event.RuleName`*:: ++ +-- +Firewall rule name. + + +type: keyword + +-- + +*`crowdstrike.event.RuleId`*:: ++ +-- +Firewall rule id. + + +type: keyword + +-- + +*`crowdstrike.event.MatchCount`*:: ++ +-- +Number of firewall rule matches. + + +type: long + +-- + +*`crowdstrike.event.MatchCountSinceLastReport`*:: ++ +-- +Number of firewall rule matches since the last report. + + +type: long + +-- + +*`crowdstrike.event.Timestamp`*:: ++ +-- +Firewall rule triggered timestamp. + + +type: date + +-- + +*`crowdstrike.event.Flags.Audit`*:: ++ +-- +CrowdStrike audit flag. + + +type: boolean + +-- + +*`crowdstrike.event.Flags.Log`*:: ++ +-- +CrowdStrike log flag. + + +type: boolean + +-- + +*`crowdstrike.event.Flags.Monitor`*:: ++ +-- +CrowdStrike monitor flag. + + +type: boolean + +-- + +*`crowdstrike.event.Protocol`*:: ++ +-- +CrowdStrike provided protocol. + + +type: keyword + +-- + +*`crowdstrike.event.NetworkProfile`*:: ++ +-- +CrowdStrike network profile. + + +type: keyword + +-- + +*`crowdstrike.event.PolicyName`*:: ++ +-- +CrowdStrike policy name. + + +type: keyword + +-- + +*`crowdstrike.event.PolicyID`*:: ++ +-- +CrowdStrike policy id. + + +type: keyword + +-- + +*`crowdstrike.event.Status`*:: ++ +-- +CrowdStrike status. + + +type: keyword + +-- + +*`crowdstrike.event.TreeID`*:: ++ +-- +CrowdStrike tree id. + + +type: keyword + +-- + +*`crowdstrike.event.Commands`*:: ++ +-- +Commands run in a remote session. + + +type: keyword + +-- + [[exported-fields-cylance]] == CylanceProtect fields @@ -51057,24 +51470,7 @@ fortinet Module -[float] -=== fortinet - -Fields from fortinet FortiOS - - - -*`fortinet.file.hash.crc32`*:: -+ --- -CRC32 Hash of file - - -type: keyword - --- - -*`fortinet.network.interface.name`*:: +*`network.interface.name`*:: + -- Name of the network interface where the traffic has been observed. @@ -51086,7 +51482,7 @@ type: keyword -*`fortinet.rsa.internal.msg`*:: +*`rsa.internal.msg`*:: + -- This key is used to capture the raw message that comes into the Log Decoder @@ -51095,21 +51491,21 @@ type: keyword -- -*`fortinet.rsa.internal.messageid`*:: +*`rsa.internal.messageid`*:: + -- type: keyword -- -*`fortinet.rsa.internal.event_desc`*:: +*`rsa.internal.event_desc`*:: + -- type: keyword -- -*`fortinet.rsa.internal.message`*:: +*`rsa.internal.message`*:: + -- This key captures the contents of instant messages @@ -51118,7 +51514,7 @@ type: keyword -- -*`fortinet.rsa.internal.time`*:: +*`rsa.internal.time`*:: + -- This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. @@ -51127,7 +51523,7 @@ type: date -- -*`fortinet.rsa.internal.level`*:: +*`rsa.internal.level`*:: + -- Deprecated key defined only in table map. @@ -51136,7 +51532,7 @@ type: long -- -*`fortinet.rsa.internal.msg_id`*:: +*`rsa.internal.msg_id`*:: + -- This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51145,7 +51541,7 @@ type: keyword -- -*`fortinet.rsa.internal.msg_vid`*:: +*`rsa.internal.msg_vid`*:: + -- This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51154,7 +51550,7 @@ type: keyword -- -*`fortinet.rsa.internal.data`*:: +*`rsa.internal.data`*:: + -- Deprecated key defined only in table map. @@ -51163,7 +51559,7 @@ type: keyword -- -*`fortinet.rsa.internal.obj_server`*:: +*`rsa.internal.obj_server`*:: + -- Deprecated key defined only in table map. @@ -51172,7 +51568,7 @@ type: keyword -- -*`fortinet.rsa.internal.obj_val`*:: +*`rsa.internal.obj_val`*:: + -- Deprecated key defined only in table map. @@ -51181,7 +51577,7 @@ type: keyword -- -*`fortinet.rsa.internal.resource`*:: +*`rsa.internal.resource`*:: + -- Deprecated key defined only in table map. @@ -51190,7 +51586,7 @@ type: keyword -- -*`fortinet.rsa.internal.obj_id`*:: +*`rsa.internal.obj_id`*:: + -- Deprecated key defined only in table map. @@ -51199,7 +51595,7 @@ type: keyword -- -*`fortinet.rsa.internal.statement`*:: +*`rsa.internal.statement`*:: + -- Deprecated key defined only in table map. @@ -51208,7 +51604,7 @@ type: keyword -- -*`fortinet.rsa.internal.audit_class`*:: +*`rsa.internal.audit_class`*:: + -- Deprecated key defined only in table map. @@ -51217,7 +51613,7 @@ type: keyword -- -*`fortinet.rsa.internal.entry`*:: +*`rsa.internal.entry`*:: + -- Deprecated key defined only in table map. @@ -51226,7 +51622,7 @@ type: keyword -- -*`fortinet.rsa.internal.hcode`*:: +*`rsa.internal.hcode`*:: + -- Deprecated key defined only in table map. @@ -51235,7 +51631,7 @@ type: keyword -- -*`fortinet.rsa.internal.inode`*:: +*`rsa.internal.inode`*:: + -- Deprecated key defined only in table map. @@ -51244,7 +51640,7 @@ type: long -- -*`fortinet.rsa.internal.resource_class`*:: +*`rsa.internal.resource_class`*:: + -- Deprecated key defined only in table map. @@ -51253,7 +51649,7 @@ type: keyword -- -*`fortinet.rsa.internal.dead`*:: +*`rsa.internal.dead`*:: + -- Deprecated key defined only in table map. @@ -51262,7 +51658,7 @@ type: long -- -*`fortinet.rsa.internal.feed_desc`*:: +*`rsa.internal.feed_desc`*:: + -- This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51271,7 +51667,7 @@ type: keyword -- -*`fortinet.rsa.internal.feed_name`*:: +*`rsa.internal.feed_name`*:: + -- This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51280,7 +51676,7 @@ type: keyword -- -*`fortinet.rsa.internal.cid`*:: +*`rsa.internal.cid`*:: + -- This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51289,7 +51685,7 @@ type: keyword -- -*`fortinet.rsa.internal.device_class`*:: +*`rsa.internal.device_class`*:: + -- This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51298,7 +51694,7 @@ type: keyword -- -*`fortinet.rsa.internal.device_group`*:: +*`rsa.internal.device_group`*:: + -- This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51307,7 +51703,7 @@ type: keyword -- -*`fortinet.rsa.internal.device_host`*:: +*`rsa.internal.device_host`*:: + -- This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51316,7 +51712,7 @@ type: keyword -- -*`fortinet.rsa.internal.device_ip`*:: +*`rsa.internal.device_ip`*:: + -- This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51325,7 +51721,7 @@ type: ip -- -*`fortinet.rsa.internal.device_ipv6`*:: +*`rsa.internal.device_ipv6`*:: + -- This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51334,7 +51730,7 @@ type: ip -- -*`fortinet.rsa.internal.device_type`*:: +*`rsa.internal.device_type`*:: + -- This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51343,7 +51739,7 @@ type: keyword -- -*`fortinet.rsa.internal.device_type_id`*:: +*`rsa.internal.device_type_id`*:: + -- Deprecated key defined only in table map. @@ -51352,7 +51748,7 @@ type: long -- -*`fortinet.rsa.internal.did`*:: +*`rsa.internal.did`*:: + -- This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51361,7 +51757,7 @@ type: keyword -- -*`fortinet.rsa.internal.entropy_req`*:: +*`rsa.internal.entropy_req`*:: + -- This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration @@ -51370,7 +51766,7 @@ type: long -- -*`fortinet.rsa.internal.entropy_res`*:: +*`rsa.internal.entropy_res`*:: + -- This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration @@ -51379,7 +51775,7 @@ type: long -- -*`fortinet.rsa.internal.event_name`*:: +*`rsa.internal.event_name`*:: + -- Deprecated key defined only in table map. @@ -51388,7 +51784,7 @@ type: keyword -- -*`fortinet.rsa.internal.feed_category`*:: +*`rsa.internal.feed_category`*:: + -- This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51397,7 +51793,7 @@ type: keyword -- -*`fortinet.rsa.internal.forward_ip`*:: +*`rsa.internal.forward_ip`*:: + -- This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. @@ -51406,7 +51802,7 @@ type: ip -- -*`fortinet.rsa.internal.forward_ipv6`*:: +*`rsa.internal.forward_ipv6`*:: + -- This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51415,7 +51811,7 @@ type: ip -- -*`fortinet.rsa.internal.header_id`*:: +*`rsa.internal.header_id`*:: + -- This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51424,7 +51820,7 @@ type: keyword -- -*`fortinet.rsa.internal.lc_cid`*:: +*`rsa.internal.lc_cid`*:: + -- This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51433,7 +51829,7 @@ type: keyword -- -*`fortinet.rsa.internal.lc_ctime`*:: +*`rsa.internal.lc_ctime`*:: + -- This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51442,7 +51838,7 @@ type: date -- -*`fortinet.rsa.internal.mcb_req`*:: +*`rsa.internal.mcb_req`*:: + -- This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most @@ -51451,7 +51847,7 @@ type: long -- -*`fortinet.rsa.internal.mcb_res`*:: +*`rsa.internal.mcb_res`*:: + -- This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most @@ -51460,7 +51856,7 @@ type: long -- -*`fortinet.rsa.internal.mcbc_req`*:: +*`rsa.internal.mcbc_req`*:: + -- This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams @@ -51469,7 +51865,7 @@ type: long -- -*`fortinet.rsa.internal.mcbc_res`*:: +*`rsa.internal.mcbc_res`*:: + -- This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams @@ -51478,7 +51874,7 @@ type: long -- -*`fortinet.rsa.internal.medium`*:: +*`rsa.internal.medium`*:: + -- This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session @@ -51487,7 +51883,7 @@ type: long -- -*`fortinet.rsa.internal.node_name`*:: +*`rsa.internal.node_name`*:: + -- Deprecated key defined only in table map. @@ -51496,7 +51892,7 @@ type: keyword -- -*`fortinet.rsa.internal.nwe_callback_id`*:: +*`rsa.internal.nwe_callback_id`*:: + -- This key denotes that event is endpoint related @@ -51505,7 +51901,7 @@ type: keyword -- -*`fortinet.rsa.internal.parse_error`*:: +*`rsa.internal.parse_error`*:: + -- This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51514,7 +51910,7 @@ type: keyword -- -*`fortinet.rsa.internal.payload_req`*:: +*`rsa.internal.payload_req`*:: + -- This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep @@ -51523,7 +51919,7 @@ type: long -- -*`fortinet.rsa.internal.payload_res`*:: +*`rsa.internal.payload_res`*:: + -- This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep @@ -51532,7 +51928,7 @@ type: long -- -*`fortinet.rsa.internal.process_vid_dst`*:: +*`rsa.internal.process_vid_dst`*:: + -- Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. @@ -51541,7 +51937,7 @@ type: keyword -- -*`fortinet.rsa.internal.process_vid_src`*:: +*`rsa.internal.process_vid_src`*:: + -- Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. @@ -51550,7 +51946,7 @@ type: keyword -- -*`fortinet.rsa.internal.rid`*:: +*`rsa.internal.rid`*:: + -- This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51559,7 +51955,7 @@ type: long -- -*`fortinet.rsa.internal.session_split`*:: +*`rsa.internal.session_split`*:: + -- This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51568,7 +51964,7 @@ type: keyword -- -*`fortinet.rsa.internal.site`*:: +*`rsa.internal.site`*:: + -- Deprecated key defined only in table map. @@ -51577,7 +51973,7 @@ type: keyword -- -*`fortinet.rsa.internal.size`*:: +*`rsa.internal.size`*:: + -- This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51586,7 +51982,7 @@ type: long -- -*`fortinet.rsa.internal.sourcefile`*:: +*`rsa.internal.sourcefile`*:: + -- This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -51595,7 +51991,7 @@ type: keyword -- -*`fortinet.rsa.internal.ubc_req`*:: +*`rsa.internal.ubc_req`*:: + -- This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once @@ -51604,7 +52000,7 @@ type: long -- -*`fortinet.rsa.internal.ubc_res`*:: +*`rsa.internal.ubc_res`*:: + -- This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once @@ -51613,7 +52009,7 @@ type: long -- -*`fortinet.rsa.internal.word`*:: +*`rsa.internal.word`*:: + -- This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log @@ -51623,7 +52019,7 @@ type: keyword -- -*`fortinet.rsa.time.event_time`*:: +*`rsa.time.event_time`*:: + -- This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form @@ -51632,7 +52028,7 @@ type: date -- -*`fortinet.rsa.time.duration_time`*:: +*`rsa.time.duration_time`*:: + -- This key is used to capture the normalized duration/lifetime in seconds. @@ -51641,7 +52037,7 @@ type: double -- -*`fortinet.rsa.time.event_time_str`*:: +*`rsa.time.event_time_str`*:: + -- This key is used to capture the incomplete time mentioned in a session as a string @@ -51650,7 +52046,7 @@ type: keyword -- -*`fortinet.rsa.time.starttime`*:: +*`rsa.time.starttime`*:: + -- This key is used to capture the Start time mentioned in a session in a standard form @@ -51659,21 +52055,21 @@ type: date -- -*`fortinet.rsa.time.month`*:: +*`rsa.time.month`*:: + -- type: keyword -- -*`fortinet.rsa.time.day`*:: +*`rsa.time.day`*:: + -- type: keyword -- -*`fortinet.rsa.time.endtime`*:: +*`rsa.time.endtime`*:: + -- This key is used to capture the End time mentioned in a session in a standard form @@ -51682,7 +52078,7 @@ type: date -- -*`fortinet.rsa.time.timezone`*:: +*`rsa.time.timezone`*:: + -- This key is used to capture the timezone of the Event Time @@ -51691,7 +52087,7 @@ type: keyword -- -*`fortinet.rsa.time.duration_str`*:: +*`rsa.time.duration_str`*:: + -- A text string version of the duration @@ -51700,21 +52096,21 @@ type: keyword -- -*`fortinet.rsa.time.date`*:: +*`rsa.time.date`*:: + -- type: keyword -- -*`fortinet.rsa.time.year`*:: +*`rsa.time.year`*:: + -- type: keyword -- -*`fortinet.rsa.time.recorded_time`*:: +*`rsa.time.recorded_time`*:: + -- The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. @@ -51723,14 +52119,14 @@ type: date -- -*`fortinet.rsa.time.datetime`*:: +*`rsa.time.datetime`*:: + -- type: keyword -- -*`fortinet.rsa.time.effective_time`*:: +*`rsa.time.effective_time`*:: + -- This key is the effective time referenced by an individual event in a Standard Timestamp format @@ -51739,7 +52135,7 @@ type: date -- -*`fortinet.rsa.time.expire_time`*:: +*`rsa.time.expire_time`*:: + -- This key is the timestamp that explicitly refers to an expiration. @@ -51748,7 +52144,7 @@ type: date -- -*`fortinet.rsa.time.process_time`*:: +*`rsa.time.process_time`*:: + -- Deprecated, use duration.time @@ -51757,28 +52153,28 @@ type: keyword -- -*`fortinet.rsa.time.hour`*:: +*`rsa.time.hour`*:: + -- type: keyword -- -*`fortinet.rsa.time.min`*:: +*`rsa.time.min`*:: + -- type: keyword -- -*`fortinet.rsa.time.timestamp`*:: +*`rsa.time.timestamp`*:: + -- type: keyword -- -*`fortinet.rsa.time.event_queue_time`*:: +*`rsa.time.event_queue_time`*:: + -- This key is the Time that the event was queued. @@ -51787,77 +52183,77 @@ type: date -- -*`fortinet.rsa.time.p_time1`*:: +*`rsa.time.p_time1`*:: + -- type: keyword -- -*`fortinet.rsa.time.tzone`*:: +*`rsa.time.tzone`*:: + -- type: keyword -- -*`fortinet.rsa.time.eventtime`*:: +*`rsa.time.eventtime`*:: + -- type: keyword -- -*`fortinet.rsa.time.gmtdate`*:: +*`rsa.time.gmtdate`*:: + -- type: keyword -- -*`fortinet.rsa.time.gmttime`*:: +*`rsa.time.gmttime`*:: + -- type: keyword -- -*`fortinet.rsa.time.p_date`*:: +*`rsa.time.p_date`*:: + -- type: keyword -- -*`fortinet.rsa.time.p_month`*:: +*`rsa.time.p_month`*:: + -- type: keyword -- -*`fortinet.rsa.time.p_time`*:: +*`rsa.time.p_time`*:: + -- type: keyword -- -*`fortinet.rsa.time.p_time2`*:: +*`rsa.time.p_time2`*:: + -- type: keyword -- -*`fortinet.rsa.time.p_year`*:: +*`rsa.time.p_year`*:: + -- type: keyword -- -*`fortinet.rsa.time.expire_time_str`*:: +*`rsa.time.expire_time_str`*:: + -- This key is used to capture incomplete timestamp that explicitly refers to an expiration. @@ -51866,7 +52262,7 @@ type: keyword -- -*`fortinet.rsa.time.stamp`*:: +*`rsa.time.stamp`*:: + -- Deprecated key defined only in table map. @@ -51876,14 +52272,14 @@ type: date -- -*`fortinet.rsa.misc.action`*:: +*`rsa.misc.action`*:: + -- type: keyword -- -*`fortinet.rsa.misc.result`*:: +*`rsa.misc.result`*:: + -- This key is used to capture the outcome/result string value of an action in a session. @@ -51892,7 +52288,7 @@ type: keyword -- -*`fortinet.rsa.misc.severity`*:: +*`rsa.misc.severity`*:: + -- This key is used to capture the severity given the session @@ -51901,7 +52297,7 @@ type: keyword -- -*`fortinet.rsa.misc.event_type`*:: +*`rsa.misc.event_type`*:: + -- This key captures the event category type as specified by the event source. @@ -51910,7 +52306,7 @@ type: keyword -- -*`fortinet.rsa.misc.reference_id`*:: +*`rsa.misc.reference_id`*:: + -- This key is used to capture an event id from the session directly @@ -51919,7 +52315,7 @@ type: keyword -- -*`fortinet.rsa.misc.version`*:: +*`rsa.misc.version`*:: + -- This key captures Version of the application or OS which is generating the event. @@ -51928,7 +52324,7 @@ type: keyword -- -*`fortinet.rsa.misc.disposition`*:: +*`rsa.misc.disposition`*:: + -- This key captures the The end state of an action. @@ -51937,7 +52333,7 @@ type: keyword -- -*`fortinet.rsa.misc.result_code`*:: +*`rsa.misc.result_code`*:: + -- This key is used to capture the outcome/result numeric value of an action in a session @@ -51946,7 +52342,7 @@ type: keyword -- -*`fortinet.rsa.misc.category`*:: +*`rsa.misc.category`*:: + -- This key is used to capture the category of an event given by the vendor in the session @@ -51955,7 +52351,7 @@ type: keyword -- -*`fortinet.rsa.misc.obj_name`*:: +*`rsa.misc.obj_name`*:: + -- This is used to capture name of object @@ -51964,7 +52360,7 @@ type: keyword -- -*`fortinet.rsa.misc.obj_type`*:: +*`rsa.misc.obj_type`*:: + -- This is used to capture type of object @@ -51973,7 +52369,7 @@ type: keyword -- -*`fortinet.rsa.misc.event_source`*:: +*`rsa.misc.event_source`*:: + -- This key captures Source of the event that’s not a hostname @@ -51982,7 +52378,7 @@ type: keyword -- -*`fortinet.rsa.misc.log_session_id`*:: +*`rsa.misc.log_session_id`*:: + -- This key is used to capture a sessionid from the session directly @@ -51991,7 +52387,7 @@ type: keyword -- -*`fortinet.rsa.misc.group`*:: +*`rsa.misc.group`*:: + -- This key captures the Group Name value @@ -52000,7 +52396,7 @@ type: keyword -- -*`fortinet.rsa.misc.policy_name`*:: +*`rsa.misc.policy_name`*:: + -- This key is used to capture the Policy Name only. @@ -52009,7 +52405,7 @@ type: keyword -- -*`fortinet.rsa.misc.rule_name`*:: +*`rsa.misc.rule_name`*:: + -- This key captures the Rule Name @@ -52018,7 +52414,7 @@ type: keyword -- -*`fortinet.rsa.misc.context`*:: +*`rsa.misc.context`*:: + -- This key captures Information which adds additional context to the event. @@ -52027,7 +52423,7 @@ type: keyword -- -*`fortinet.rsa.misc.change_new`*:: +*`rsa.misc.change_new`*:: + -- This key is used to capture the new values of the attribute that’s changing in a session @@ -52036,14 +52432,14 @@ type: keyword -- -*`fortinet.rsa.misc.space`*:: +*`rsa.misc.space`*:: + -- type: keyword -- -*`fortinet.rsa.misc.client`*:: +*`rsa.misc.client`*:: + -- This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. @@ -52052,21 +52448,21 @@ type: keyword -- -*`fortinet.rsa.misc.msgIdPart1`*:: +*`rsa.misc.msgIdPart1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.msgIdPart2`*:: +*`rsa.misc.msgIdPart2`*:: + -- type: keyword -- -*`fortinet.rsa.misc.change_old`*:: +*`rsa.misc.change_old`*:: + -- This key is used to capture the old value of the attribute that’s changing in a session @@ -52075,7 +52471,7 @@ type: keyword -- -*`fortinet.rsa.misc.operation_id`*:: +*`rsa.misc.operation_id`*:: + -- An alert number or operation number. The values should be unique and non-repeating. @@ -52084,7 +52480,7 @@ type: keyword -- -*`fortinet.rsa.misc.event_state`*:: +*`rsa.misc.event_state`*:: + -- This key captures the current state of the object/item referenced within the event. Describing an on-going event. @@ -52093,7 +52489,7 @@ type: keyword -- -*`fortinet.rsa.misc.group_object`*:: +*`rsa.misc.group_object`*:: + -- This key captures a collection/grouping of entities. Specific usage @@ -52102,7 +52498,7 @@ type: keyword -- -*`fortinet.rsa.misc.node`*:: +*`rsa.misc.node`*:: + -- Common use case is the node name within a cluster. The cluster name is reflected by the host name. @@ -52111,7 +52507,7 @@ type: keyword -- -*`fortinet.rsa.misc.rule`*:: +*`rsa.misc.rule`*:: + -- This key captures the Rule number @@ -52120,7 +52516,7 @@ type: keyword -- -*`fortinet.rsa.misc.device_name`*:: +*`rsa.misc.device_name`*:: + -- This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc @@ -52129,7 +52525,7 @@ type: keyword -- -*`fortinet.rsa.misc.param`*:: +*`rsa.misc.param`*:: + -- This key is the parameters passed as part of a command or application, etc. @@ -52138,7 +52534,7 @@ type: keyword -- -*`fortinet.rsa.misc.change_attrib`*:: +*`rsa.misc.change_attrib`*:: + -- This key is used to capture the name of the attribute that’s changing in a session @@ -52147,7 +52543,7 @@ type: keyword -- -*`fortinet.rsa.misc.event_computer`*:: +*`rsa.misc.event_computer`*:: + -- This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. @@ -52156,7 +52552,7 @@ type: keyword -- -*`fortinet.rsa.misc.reference_id1`*:: +*`rsa.misc.reference_id1`*:: + -- This key is for Linked ID to be used as an addition to "reference.id" @@ -52165,7 +52561,7 @@ type: keyword -- -*`fortinet.rsa.misc.event_log`*:: +*`rsa.misc.event_log`*:: + -- This key captures the Name of the event log @@ -52174,7 +52570,7 @@ type: keyword -- -*`fortinet.rsa.misc.OS`*:: +*`rsa.misc.OS`*:: + -- This key captures the Name of the Operating System @@ -52183,7 +52579,7 @@ type: keyword -- -*`fortinet.rsa.misc.terminal`*:: +*`rsa.misc.terminal`*:: + -- This key captures the Terminal Names only @@ -52192,14 +52588,14 @@ type: keyword -- -*`fortinet.rsa.misc.msgIdPart3`*:: +*`rsa.misc.msgIdPart3`*:: + -- type: keyword -- -*`fortinet.rsa.misc.filter`*:: +*`rsa.misc.filter`*:: + -- This key captures Filter used to reduce result set @@ -52208,7 +52604,7 @@ type: keyword -- -*`fortinet.rsa.misc.serial_number`*:: +*`rsa.misc.serial_number`*:: + -- This key is the Serial number associated with a physical asset. @@ -52217,7 +52613,7 @@ type: keyword -- -*`fortinet.rsa.misc.checksum`*:: +*`rsa.misc.checksum`*:: + -- This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. @@ -52226,7 +52622,7 @@ type: keyword -- -*`fortinet.rsa.misc.event_user`*:: +*`rsa.misc.event_user`*:: + -- This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. @@ -52235,7 +52631,7 @@ type: keyword -- -*`fortinet.rsa.misc.virusname`*:: +*`rsa.misc.virusname`*:: + -- This key captures the name of the virus @@ -52244,7 +52640,7 @@ type: keyword -- -*`fortinet.rsa.misc.content_type`*:: +*`rsa.misc.content_type`*:: + -- This key is used to capture Content Type only. @@ -52253,7 +52649,7 @@ type: keyword -- -*`fortinet.rsa.misc.group_id`*:: +*`rsa.misc.group_id`*:: + -- This key captures Group ID Number (related to the group name) @@ -52262,7 +52658,7 @@ type: keyword -- -*`fortinet.rsa.misc.policy_id`*:: +*`rsa.misc.policy_id`*:: + -- This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise @@ -52271,7 +52667,7 @@ type: keyword -- -*`fortinet.rsa.misc.vsys`*:: +*`rsa.misc.vsys`*:: + -- This key captures Virtual System Name @@ -52280,7 +52676,7 @@ type: keyword -- -*`fortinet.rsa.misc.connection_id`*:: +*`rsa.misc.connection_id`*:: + -- This key captures the Connection ID @@ -52289,7 +52685,7 @@ type: keyword -- -*`fortinet.rsa.misc.reference_id2`*:: +*`rsa.misc.reference_id2`*:: + -- This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. @@ -52298,7 +52694,7 @@ type: keyword -- -*`fortinet.rsa.misc.sensor`*:: +*`rsa.misc.sensor`*:: + -- This key captures Name of the sensor. Typically used in IDS/IPS based devices @@ -52307,7 +52703,7 @@ type: keyword -- -*`fortinet.rsa.misc.sig_id`*:: +*`rsa.misc.sig_id`*:: + -- This key captures IDS/IPS Int Signature ID @@ -52316,7 +52712,7 @@ type: long -- -*`fortinet.rsa.misc.port_name`*:: +*`rsa.misc.port_name`*:: + -- This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). @@ -52325,7 +52721,7 @@ type: keyword -- -*`fortinet.rsa.misc.rule_group`*:: +*`rsa.misc.rule_group`*:: + -- This key captures the Rule group name @@ -52334,7 +52730,7 @@ type: keyword -- -*`fortinet.rsa.misc.risk_num`*:: +*`rsa.misc.risk_num`*:: + -- This key captures a Numeric Risk value @@ -52343,7 +52739,7 @@ type: double -- -*`fortinet.rsa.misc.trigger_val`*:: +*`rsa.misc.trigger_val`*:: + -- This key captures the Value of the trigger or threshold condition. @@ -52352,7 +52748,7 @@ type: keyword -- -*`fortinet.rsa.misc.log_session_id1`*:: +*`rsa.misc.log_session_id1`*:: + -- This key is used to capture a Linked (Related) Session ID from the session directly @@ -52361,7 +52757,7 @@ type: keyword -- -*`fortinet.rsa.misc.comp_version`*:: +*`rsa.misc.comp_version`*:: + -- This key captures the Version level of a sub-component of a product. @@ -52370,7 +52766,7 @@ type: keyword -- -*`fortinet.rsa.misc.content_version`*:: +*`rsa.misc.content_version`*:: + -- This key captures Version level of a signature or database content. @@ -52379,7 +52775,7 @@ type: keyword -- -*`fortinet.rsa.misc.hardware_id`*:: +*`rsa.misc.hardware_id`*:: + -- This key is used to capture unique identifier for a device or system (NOT a Mac address) @@ -52388,7 +52784,7 @@ type: keyword -- -*`fortinet.rsa.misc.risk`*:: +*`rsa.misc.risk`*:: + -- This key captures the non-numeric risk value @@ -52397,28 +52793,28 @@ type: keyword -- -*`fortinet.rsa.misc.event_id`*:: +*`rsa.misc.event_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.reason`*:: +*`rsa.misc.reason`*:: + -- type: keyword -- -*`fortinet.rsa.misc.status`*:: +*`rsa.misc.status`*:: + -- type: keyword -- -*`fortinet.rsa.misc.mail_id`*:: +*`rsa.misc.mail_id`*:: + -- This key is used to capture the mailbox id/name @@ -52427,7 +52823,7 @@ type: keyword -- -*`fortinet.rsa.misc.rule_uid`*:: +*`rsa.misc.rule_uid`*:: + -- This key is the Unique Identifier for a rule. @@ -52436,7 +52832,7 @@ type: keyword -- -*`fortinet.rsa.misc.trigger_desc`*:: +*`rsa.misc.trigger_desc`*:: + -- This key captures the Description of the trigger or threshold condition. @@ -52445,35 +52841,35 @@ type: keyword -- -*`fortinet.rsa.misc.inout`*:: +*`rsa.misc.inout`*:: + -- type: keyword -- -*`fortinet.rsa.misc.p_msgid`*:: +*`rsa.misc.p_msgid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.data_type`*:: +*`rsa.misc.data_type`*:: + -- type: keyword -- -*`fortinet.rsa.misc.msgIdPart4`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- -*`fortinet.rsa.misc.error`*:: +*`rsa.misc.error`*:: + -- This key captures All non successful Error codes or responses @@ -52482,14 +52878,14 @@ type: keyword -- -*`fortinet.rsa.misc.index`*:: +*`rsa.misc.index`*:: + -- type: keyword -- -*`fortinet.rsa.misc.listnum`*:: +*`rsa.misc.listnum`*:: + -- This key is used to capture listname or listnumber, primarily for collecting access-list @@ -52498,14 +52894,14 @@ type: keyword -- -*`fortinet.rsa.misc.ntype`*:: +*`rsa.misc.ntype`*:: + -- type: keyword -- -*`fortinet.rsa.misc.observed_val`*:: +*`rsa.misc.observed_val`*:: + -- This key captures the Value observed (from the perspective of the device generating the log). @@ -52514,7 +52910,7 @@ type: keyword -- -*`fortinet.rsa.misc.policy_value`*:: +*`rsa.misc.policy_value`*:: + -- This key captures the contents of the policy. This contains details about the policy @@ -52523,7 +52919,7 @@ type: keyword -- -*`fortinet.rsa.misc.pool_name`*:: +*`rsa.misc.pool_name`*:: + -- This key captures the name of a resource pool @@ -52532,7 +52928,7 @@ type: keyword -- -*`fortinet.rsa.misc.rule_template`*:: +*`rsa.misc.rule_template`*:: + -- A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template @@ -52541,35 +52937,35 @@ type: keyword -- -*`fortinet.rsa.misc.count`*:: +*`rsa.misc.count`*:: + -- type: keyword -- -*`fortinet.rsa.misc.number`*:: +*`rsa.misc.number`*:: + -- type: keyword -- -*`fortinet.rsa.misc.sigcat`*:: +*`rsa.misc.sigcat`*:: + -- type: keyword -- -*`fortinet.rsa.misc.type`*:: +*`rsa.misc.type`*:: + -- type: keyword -- -*`fortinet.rsa.misc.comments`*:: +*`rsa.misc.comments`*:: + -- Comment information provided in the log message @@ -52578,7 +52974,7 @@ type: keyword -- -*`fortinet.rsa.misc.doc_number`*:: +*`rsa.misc.doc_number`*:: + -- This key captures File Identification number @@ -52587,7 +52983,7 @@ type: long -- -*`fortinet.rsa.misc.expected_val`*:: +*`rsa.misc.expected_val`*:: + -- This key captures the Value expected (from the perspective of the device generating the log). @@ -52596,7 +52992,7 @@ type: keyword -- -*`fortinet.rsa.misc.job_num`*:: +*`rsa.misc.job_num`*:: + -- This key captures the Job Number @@ -52605,7 +53001,7 @@ type: keyword -- -*`fortinet.rsa.misc.spi_dst`*:: +*`rsa.misc.spi_dst`*:: + -- Destination SPI Index @@ -52614,7 +53010,7 @@ type: keyword -- -*`fortinet.rsa.misc.spi_src`*:: +*`rsa.misc.spi_src`*:: + -- Source SPI Index @@ -52623,14 +53019,14 @@ type: keyword -- -*`fortinet.rsa.misc.code`*:: +*`rsa.misc.code`*:: + -- type: keyword -- -*`fortinet.rsa.misc.agent_id`*:: +*`rsa.misc.agent_id`*:: + -- This key is used to capture agent id @@ -52639,7 +53035,7 @@ type: keyword -- -*`fortinet.rsa.misc.message_body`*:: +*`rsa.misc.message_body`*:: + -- This key captures the The contents of the message body. @@ -52648,14 +53044,14 @@ type: keyword -- -*`fortinet.rsa.misc.phone`*:: +*`rsa.misc.phone`*:: + -- type: keyword -- -*`fortinet.rsa.misc.sig_id_str`*:: +*`rsa.misc.sig_id_str`*:: + -- This key captures a string object of the sigid variable. @@ -52664,28 +53060,28 @@ type: keyword -- -*`fortinet.rsa.misc.cmd`*:: +*`rsa.misc.cmd`*:: + -- type: keyword -- -*`fortinet.rsa.misc.misc`*:: +*`rsa.misc.misc`*:: + -- type: keyword -- -*`fortinet.rsa.misc.name`*:: +*`rsa.misc.name`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cpu`*:: +*`rsa.misc.cpu`*:: + -- This key is the CPU time used in the execution of the event being recorded. @@ -52694,7 +53090,7 @@ type: long -- -*`fortinet.rsa.misc.event_desc`*:: +*`rsa.misc.event_desc`*:: + -- This key is used to capture a description of an event available directly or inferred @@ -52703,7 +53099,7 @@ type: keyword -- -*`fortinet.rsa.misc.sig_id1`*:: +*`rsa.misc.sig_id1`*:: + -- This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id @@ -52712,42 +53108,42 @@ type: long -- -*`fortinet.rsa.misc.im_buddyid`*:: +*`rsa.misc.im_buddyid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.im_client`*:: +*`rsa.misc.im_client`*:: + -- type: keyword -- -*`fortinet.rsa.misc.im_userid`*:: +*`rsa.misc.im_userid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.pid`*:: +*`rsa.misc.pid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.priority`*:: +*`rsa.misc.priority`*:: + -- type: keyword -- -*`fortinet.rsa.misc.context_subject`*:: +*`rsa.misc.context_subject`*:: + -- This key is to be used in an audit context where the subject is the object being identified @@ -52756,14 +53152,14 @@ type: keyword -- -*`fortinet.rsa.misc.context_target`*:: +*`rsa.misc.context_target`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cve`*:: +*`rsa.misc.cve`*:: + -- This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. @@ -52772,7 +53168,7 @@ type: keyword -- -*`fortinet.rsa.misc.fcatnum`*:: +*`rsa.misc.fcatnum`*:: + -- This key captures Filter Category Number. Legacy Usage @@ -52781,7 +53177,7 @@ type: keyword -- -*`fortinet.rsa.misc.library`*:: +*`rsa.misc.library`*:: + -- This key is used to capture library information in mainframe devices @@ -52790,7 +53186,7 @@ type: keyword -- -*`fortinet.rsa.misc.parent_node`*:: +*`rsa.misc.parent_node`*:: + -- This key captures the Parent Node Name. Must be related to node variable. @@ -52799,7 +53195,7 @@ type: keyword -- -*`fortinet.rsa.misc.risk_info`*:: +*`rsa.misc.risk_info`*:: + -- Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -52808,7 +53204,7 @@ type: keyword -- -*`fortinet.rsa.misc.tcp_flags`*:: +*`rsa.misc.tcp_flags`*:: + -- This key is captures the TCP flags set in any packet of session @@ -52817,7 +53213,7 @@ type: long -- -*`fortinet.rsa.misc.tos`*:: +*`rsa.misc.tos`*:: + -- This key describes the type of service @@ -52826,7 +53222,7 @@ type: long -- -*`fortinet.rsa.misc.vm_target`*:: +*`rsa.misc.vm_target`*:: + -- VMWare Target **VMWARE** only varaible. @@ -52835,7 +53231,7 @@ type: keyword -- -*`fortinet.rsa.misc.workspace`*:: +*`rsa.misc.workspace`*:: + -- This key captures Workspace Description @@ -52844,91 +53240,91 @@ type: keyword -- -*`fortinet.rsa.misc.command`*:: +*`rsa.misc.command`*:: + -- type: keyword -- -*`fortinet.rsa.misc.event_category`*:: +*`rsa.misc.event_category`*:: + -- type: keyword -- -*`fortinet.rsa.misc.facilityname`*:: +*`rsa.misc.facilityname`*:: + -- type: keyword -- -*`fortinet.rsa.misc.forensic_info`*:: +*`rsa.misc.forensic_info`*:: + -- type: keyword -- -*`fortinet.rsa.misc.jobname`*:: +*`rsa.misc.jobname`*:: + -- type: keyword -- -*`fortinet.rsa.misc.mode`*:: +*`rsa.misc.mode`*:: + -- type: keyword -- -*`fortinet.rsa.misc.policy`*:: +*`rsa.misc.policy`*:: + -- type: keyword -- -*`fortinet.rsa.misc.policy_waiver`*:: +*`rsa.misc.policy_waiver`*:: + -- type: keyword -- -*`fortinet.rsa.misc.second`*:: +*`rsa.misc.second`*:: + -- type: keyword -- -*`fortinet.rsa.misc.space1`*:: +*`rsa.misc.space1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.subcategory`*:: +*`rsa.misc.subcategory`*:: + -- type: keyword -- -*`fortinet.rsa.misc.tbdstr2`*:: +*`rsa.misc.tbdstr2`*:: + -- type: keyword -- -*`fortinet.rsa.misc.alert_id`*:: +*`rsa.misc.alert_id`*:: + -- Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -52937,7 +53333,7 @@ type: keyword -- -*`fortinet.rsa.misc.checksum_dst`*:: +*`rsa.misc.checksum_dst`*:: + -- This key is used to capture the checksum or hash of the the target entity such as a process or file. @@ -52946,7 +53342,7 @@ type: keyword -- -*`fortinet.rsa.misc.checksum_src`*:: +*`rsa.misc.checksum_src`*:: + -- This key is used to capture the checksum or hash of the source entity such as a file or process. @@ -52955,7 +53351,7 @@ type: keyword -- -*`fortinet.rsa.misc.fresult`*:: +*`rsa.misc.fresult`*:: + -- This key captures the Filter Result @@ -52964,7 +53360,7 @@ type: long -- -*`fortinet.rsa.misc.payload_dst`*:: +*`rsa.misc.payload_dst`*:: + -- This key is used to capture destination payload @@ -52973,7 +53369,7 @@ type: keyword -- -*`fortinet.rsa.misc.payload_src`*:: +*`rsa.misc.payload_src`*:: + -- This key is used to capture source payload @@ -52982,7 +53378,7 @@ type: keyword -- -*`fortinet.rsa.misc.pool_id`*:: +*`rsa.misc.pool_id`*:: + -- This key captures the identifier (typically numeric field) of a resource pool @@ -52991,7 +53387,7 @@ type: keyword -- -*`fortinet.rsa.misc.process_id_val`*:: +*`rsa.misc.process_id_val`*:: + -- This key is a failure key for Process ID when it is not an integer value @@ -53000,7 +53396,7 @@ type: keyword -- -*`fortinet.rsa.misc.risk_num_comm`*:: +*`rsa.misc.risk_num_comm`*:: + -- This key captures Risk Number Community @@ -53009,7 +53405,7 @@ type: double -- -*`fortinet.rsa.misc.risk_num_next`*:: +*`rsa.misc.risk_num_next`*:: + -- This key captures Risk Number NextGen @@ -53018,7 +53414,7 @@ type: double -- -*`fortinet.rsa.misc.risk_num_sand`*:: +*`rsa.misc.risk_num_sand`*:: + -- This key captures Risk Number SandBox @@ -53027,7 +53423,7 @@ type: double -- -*`fortinet.rsa.misc.risk_num_static`*:: +*`rsa.misc.risk_num_static`*:: + -- This key captures Risk Number Static @@ -53036,7 +53432,7 @@ type: double -- -*`fortinet.rsa.misc.risk_suspicious`*:: +*`rsa.misc.risk_suspicious`*:: + -- Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -53045,7 +53441,7 @@ type: keyword -- -*`fortinet.rsa.misc.risk_warning`*:: +*`rsa.misc.risk_warning`*:: + -- Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -53054,7 +53450,7 @@ type: keyword -- -*`fortinet.rsa.misc.snmp_oid`*:: +*`rsa.misc.snmp_oid`*:: + -- SNMP Object Identifier @@ -53063,7 +53459,7 @@ type: keyword -- -*`fortinet.rsa.misc.sql`*:: +*`rsa.misc.sql`*:: + -- This key captures the SQL query @@ -53072,7 +53468,7 @@ type: keyword -- -*`fortinet.rsa.misc.vuln_ref`*:: +*`rsa.misc.vuln_ref`*:: + -- This key captures the Vulnerability Reference details @@ -53081,1547 +53477,1547 @@ type: keyword -- -*`fortinet.rsa.misc.acl_id`*:: +*`rsa.misc.acl_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.acl_op`*:: +*`rsa.misc.acl_op`*:: + -- type: keyword -- -*`fortinet.rsa.misc.acl_pos`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`fortinet.rsa.misc.acl_table`*:: +*`rsa.misc.acl_table`*:: + -- type: keyword -- -*`fortinet.rsa.misc.admin`*:: +*`rsa.misc.admin`*:: + -- type: keyword -- -*`fortinet.rsa.misc.alarm_id`*:: +*`rsa.misc.alarm_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.alarmname`*:: +*`rsa.misc.alarmname`*:: + -- type: keyword -- -*`fortinet.rsa.misc.app_id`*:: +*`rsa.misc.app_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.audit`*:: +*`rsa.misc.audit`*:: + -- type: keyword -- -*`fortinet.rsa.misc.audit_object`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`fortinet.rsa.misc.auditdata`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`fortinet.rsa.misc.benchmark`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`fortinet.rsa.misc.bypass`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cache`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cache_hit`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cefversion`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cfg_attr`*:: +*`rsa.misc.cfg_attr`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cfg_obj`*:: +*`rsa.misc.cfg_obj`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cfg_path`*:: +*`rsa.misc.cfg_path`*:: + -- type: keyword -- -*`fortinet.rsa.misc.changes`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- -*`fortinet.rsa.misc.client_ip`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -*`fortinet.rsa.misc.clustermembers`*:: +*`rsa.misc.clustermembers`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_acttimeout`*:: +*`rsa.misc.cn_acttimeout`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_asn_src`*:: +*`rsa.misc.cn_asn_src`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_dst_tos`*:: +*`rsa.misc.cn_dst_tos`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_engine_id`*:: +*`rsa.misc.cn_engine_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_engine_type`*:: +*`rsa.misc.cn_engine_type`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_f_switch`*:: +*`rsa.misc.cn_f_switch`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_flowsampid`*:: +*`rsa.misc.cn_flowsampid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_invalid`*:: +*`rsa.misc.cn_invalid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_l_switch`*:: +*`rsa.misc.cn_l_switch`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_log_did`*:: +*`rsa.misc.cn_log_did`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_log_rid`*:: +*`rsa.misc.cn_log_rid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_max_ttl`*:: +*`rsa.misc.cn_max_ttl`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_maxpcktlen`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_min_ttl`*:: +*`rsa.misc.cn_min_ttl`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_minpcktlen`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mplstoplabel`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mplstoplabip`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mul_dst_byt`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_mul_dst_pks`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_muligmptype`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_sampalgo`*:: +*`rsa.misc.cn_sampalgo`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_sampint`*:: +*`rsa.misc.cn_sampint`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_seqctr`*:: +*`rsa.misc.cn_seqctr`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_spackets`*:: +*`rsa.misc.cn_spackets`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_src_tos`*:: +*`rsa.misc.cn_src_tos`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_src_vlan`*:: +*`rsa.misc.cn_src_vlan`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_sysuptime`*:: +*`rsa.misc.cn_sysuptime`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_template_id`*:: +*`rsa.misc.cn_template_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_totbytsexp`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_totflowexp`*:: +*`rsa.misc.cn_totflowexp`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_totpcktsexp`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_unixnanosecs`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_v6flowlabel`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cn_v6optheaders`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- type: keyword -- -*`fortinet.rsa.misc.comp_class`*:: +*`rsa.misc.comp_class`*:: + -- type: keyword -- -*`fortinet.rsa.misc.comp_name`*:: +*`rsa.misc.comp_name`*:: + -- type: keyword -- -*`fortinet.rsa.misc.comp_rbytes`*:: +*`rsa.misc.comp_rbytes`*:: + -- type: keyword -- -*`fortinet.rsa.misc.comp_sbytes`*:: +*`rsa.misc.comp_sbytes`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cpu_data`*:: +*`rsa.misc.cpu_data`*:: + -- type: keyword -- -*`fortinet.rsa.misc.criticality`*:: +*`rsa.misc.criticality`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_agency_dst`*:: +*`rsa.misc.cs_agency_dst`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_analyzedby`*:: +*`rsa.misc.cs_analyzedby`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_av_other`*:: +*`rsa.misc.cs_av_other`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_av_primary`*:: +*`rsa.misc.cs_av_primary`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_av_secondary`*:: +*`rsa.misc.cs_av_secondary`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_bit9status`*:: +*`rsa.misc.cs_bit9status`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_context`*:: +*`rsa.misc.cs_context`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_control`*:: +*`rsa.misc.cs_control`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_data`*:: +*`rsa.misc.cs_data`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_datecret`*:: +*`rsa.misc.cs_datecret`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_dst_tld`*:: +*`rsa.misc.cs_dst_tld`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_eth_dst_ven`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_eth_src_ven`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_event_uuid`*:: +*`rsa.misc.cs_event_uuid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_filetype`*:: +*`rsa.misc.cs_filetype`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_fld`*:: +*`rsa.misc.cs_fld`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_if_desc`*:: +*`rsa.misc.cs_if_desc`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_if_name`*:: +*`rsa.misc.cs_if_name`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_ip_next_hop`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_ipv4dstpre`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_ipv4srcpre`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_lifetime`*:: +*`rsa.misc.cs_lifetime`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_log_medium`*:: +*`rsa.misc.cs_log_medium`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_loginname`*:: +*`rsa.misc.cs_loginname`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_modulescore`*:: +*`rsa.misc.cs_modulescore`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_modulesign`*:: +*`rsa.misc.cs_modulesign`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_opswatresult`*:: +*`rsa.misc.cs_opswatresult`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_payload`*:: +*`rsa.misc.cs_payload`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_registrant`*:: +*`rsa.misc.cs_registrant`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_registrar`*:: +*`rsa.misc.cs_registrar`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_represult`*:: +*`rsa.misc.cs_represult`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_rpayload`*:: +*`rsa.misc.cs_rpayload`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_sampler_name`*:: +*`rsa.misc.cs_sampler_name`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_sourcemodule`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_streams`*:: +*`rsa.misc.cs_streams`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_targetmodule`*:: +*`rsa.misc.cs_targetmodule`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_v6nxthop`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_whois_server`*:: +*`rsa.misc.cs_whois_server`*:: + -- type: keyword -- -*`fortinet.rsa.misc.cs_yararesult`*:: +*`rsa.misc.cs_yararesult`*:: + -- type: keyword -- -*`fortinet.rsa.misc.description`*:: +*`rsa.misc.description`*:: + -- type: keyword -- -*`fortinet.rsa.misc.devvendor`*:: +*`rsa.misc.devvendor`*:: + -- type: keyword -- -*`fortinet.rsa.misc.distance`*:: +*`rsa.misc.distance`*:: + -- type: keyword -- -*`fortinet.rsa.misc.dstburb`*:: +*`rsa.misc.dstburb`*:: + -- type: keyword -- -*`fortinet.rsa.misc.edomain`*:: +*`rsa.misc.edomain`*:: + -- type: keyword -- -*`fortinet.rsa.misc.edomaub`*:: +*`rsa.misc.edomaub`*:: + -- type: keyword -- -*`fortinet.rsa.misc.euid`*:: +*`rsa.misc.euid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.facility`*:: +*`rsa.misc.facility`*:: + -- type: keyword -- -*`fortinet.rsa.misc.finterface`*:: +*`rsa.misc.finterface`*:: + -- type: keyword -- -*`fortinet.rsa.misc.flags`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`fortinet.rsa.misc.gaddr`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`fortinet.rsa.misc.id3`*:: +*`rsa.misc.id3`*:: + -- type: keyword -- -*`fortinet.rsa.misc.im_buddyname`*:: +*`rsa.misc.im_buddyname`*:: + -- type: keyword -- -*`fortinet.rsa.misc.im_croomid`*:: +*`rsa.misc.im_croomid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.im_croomtype`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`fortinet.rsa.misc.im_members`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`fortinet.rsa.misc.im_username`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`fortinet.rsa.misc.ipkt`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`fortinet.rsa.misc.ipscat`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`fortinet.rsa.misc.ipspri`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`fortinet.rsa.misc.latitude`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`fortinet.rsa.misc.linenum`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`fortinet.rsa.misc.list_name`*:: +*`rsa.misc.list_name`*:: + -- type: keyword -- -*`fortinet.rsa.misc.load_data`*:: +*`rsa.misc.load_data`*:: + -- type: keyword -- -*`fortinet.rsa.misc.location_floor`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`fortinet.rsa.misc.location_mark`*:: +*`rsa.misc.location_mark`*:: + -- type: keyword -- -*`fortinet.rsa.misc.log_id`*:: +*`rsa.misc.log_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.log_type`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`fortinet.rsa.misc.logid`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.logip`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`fortinet.rsa.misc.logname`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`fortinet.rsa.misc.longitude`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`fortinet.rsa.misc.lport`*:: +*`rsa.misc.lport`*:: + -- type: keyword -- -*`fortinet.rsa.misc.mbug_data`*:: +*`rsa.misc.mbug_data`*:: + -- type: keyword -- -*`fortinet.rsa.misc.misc_name`*:: +*`rsa.misc.misc_name`*:: + -- type: keyword -- -*`fortinet.rsa.misc.msg_type`*:: +*`rsa.misc.msg_type`*:: + -- type: keyword -- -*`fortinet.rsa.misc.msgid`*:: +*`rsa.misc.msgid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.netsessid`*:: +*`rsa.misc.netsessid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.num`*:: +*`rsa.misc.num`*:: + -- type: keyword -- -*`fortinet.rsa.misc.number1`*:: +*`rsa.misc.number1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.number2`*:: +*`rsa.misc.number2`*:: + -- type: keyword -- -*`fortinet.rsa.misc.nwwn`*:: +*`rsa.misc.nwwn`*:: + -- type: keyword -- -*`fortinet.rsa.misc.object`*:: +*`rsa.misc.object`*:: + -- type: keyword -- -*`fortinet.rsa.misc.operation`*:: +*`rsa.misc.operation`*:: + -- type: keyword -- -*`fortinet.rsa.misc.opkt`*:: +*`rsa.misc.opkt`*:: + -- type: keyword -- -*`fortinet.rsa.misc.orig_from`*:: +*`rsa.misc.orig_from`*:: + -- type: keyword -- -*`fortinet.rsa.misc.owner_id`*:: +*`rsa.misc.owner_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.p_action`*:: +*`rsa.misc.p_action`*:: + -- type: keyword -- -*`fortinet.rsa.misc.p_filter`*:: +*`rsa.misc.p_filter`*:: + -- type: keyword -- -*`fortinet.rsa.misc.p_group_object`*:: +*`rsa.misc.p_group_object`*:: + -- type: keyword -- -*`fortinet.rsa.misc.p_id`*:: +*`rsa.misc.p_id`*:: + -- type: keyword -- -*`fortinet.rsa.misc.p_msgid1`*:: +*`rsa.misc.p_msgid1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.p_msgid2`*:: +*`rsa.misc.p_msgid2`*:: + -- type: keyword -- -*`fortinet.rsa.misc.p_result1`*:: +*`rsa.misc.p_result1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.password_chg`*:: +*`rsa.misc.password_chg`*:: + -- type: keyword -- -*`fortinet.rsa.misc.password_expire`*:: +*`rsa.misc.password_expire`*:: + -- type: keyword -- -*`fortinet.rsa.misc.permgranted`*:: +*`rsa.misc.permgranted`*:: + -- type: keyword -- -*`fortinet.rsa.misc.permwanted`*:: +*`rsa.misc.permwanted`*:: + -- type: keyword -- -*`fortinet.rsa.misc.pgid`*:: +*`rsa.misc.pgid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.policyUUID`*:: +*`rsa.misc.policyUUID`*:: + -- type: keyword -- -*`fortinet.rsa.misc.prog_asp_num`*:: +*`rsa.misc.prog_asp_num`*:: + -- type: keyword -- -*`fortinet.rsa.misc.program`*:: +*`rsa.misc.program`*:: + -- type: keyword -- -*`fortinet.rsa.misc.real_data`*:: +*`rsa.misc.real_data`*:: + -- type: keyword -- -*`fortinet.rsa.misc.rec_asp_device`*:: +*`rsa.misc.rec_asp_device`*:: + -- type: keyword -- -*`fortinet.rsa.misc.rec_asp_num`*:: +*`rsa.misc.rec_asp_num`*:: + -- type: keyword -- -*`fortinet.rsa.misc.rec_library`*:: +*`rsa.misc.rec_library`*:: + -- type: keyword -- -*`fortinet.rsa.misc.recordnum`*:: +*`rsa.misc.recordnum`*:: + -- type: keyword -- -*`fortinet.rsa.misc.ruid`*:: +*`rsa.misc.ruid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.sburb`*:: +*`rsa.misc.sburb`*:: + -- type: keyword -- -*`fortinet.rsa.misc.sdomain_fld`*:: +*`rsa.misc.sdomain_fld`*:: + -- type: keyword -- -*`fortinet.rsa.misc.sec`*:: +*`rsa.misc.sec`*:: + -- type: keyword -- -*`fortinet.rsa.misc.sensorname`*:: +*`rsa.misc.sensorname`*:: + -- type: keyword -- -*`fortinet.rsa.misc.seqnum`*:: +*`rsa.misc.seqnum`*:: + -- type: keyword -- -*`fortinet.rsa.misc.session`*:: +*`rsa.misc.session`*:: + -- type: keyword -- -*`fortinet.rsa.misc.sessiontype`*:: +*`rsa.misc.sessiontype`*:: + -- type: keyword -- -*`fortinet.rsa.misc.sigUUID`*:: +*`rsa.misc.sigUUID`*:: + -- type: keyword -- -*`fortinet.rsa.misc.spi`*:: +*`rsa.misc.spi`*:: + -- type: keyword -- -*`fortinet.rsa.misc.srcburb`*:: +*`rsa.misc.srcburb`*:: + -- type: keyword -- -*`fortinet.rsa.misc.srcdom`*:: +*`rsa.misc.srcdom`*:: + -- type: keyword -- -*`fortinet.rsa.misc.srcservice`*:: +*`rsa.misc.srcservice`*:: + -- type: keyword -- -*`fortinet.rsa.misc.state`*:: +*`rsa.misc.state`*:: + -- type: keyword -- -*`fortinet.rsa.misc.status1`*:: +*`rsa.misc.status1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.svcno`*:: +*`rsa.misc.svcno`*:: + -- type: keyword -- -*`fortinet.rsa.misc.system`*:: +*`rsa.misc.system`*:: + -- type: keyword -- -*`fortinet.rsa.misc.tbdstr1`*:: +*`rsa.misc.tbdstr1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.tgtdom`*:: +*`rsa.misc.tgtdom`*:: + -- type: keyword -- -*`fortinet.rsa.misc.tgtdomain`*:: +*`rsa.misc.tgtdomain`*:: + -- type: keyword -- -*`fortinet.rsa.misc.threshold`*:: +*`rsa.misc.threshold`*:: + -- type: keyword -- -*`fortinet.rsa.misc.type1`*:: +*`rsa.misc.type1`*:: + -- type: keyword -- -*`fortinet.rsa.misc.udb_class`*:: +*`rsa.misc.udb_class`*:: + -- type: keyword -- -*`fortinet.rsa.misc.url_fld`*:: +*`rsa.misc.url_fld`*:: + -- type: keyword -- -*`fortinet.rsa.misc.user_div`*:: +*`rsa.misc.user_div`*:: + -- type: keyword -- -*`fortinet.rsa.misc.userid`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.username_fld`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`fortinet.rsa.misc.utcstamp`*:: +*`rsa.misc.utcstamp`*:: + -- type: keyword -- -*`fortinet.rsa.misc.v_instafname`*:: +*`rsa.misc.v_instafname`*:: + -- type: keyword -- -*`fortinet.rsa.misc.virt_data`*:: +*`rsa.misc.virt_data`*:: + -- type: keyword -- -*`fortinet.rsa.misc.vpnid`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`fortinet.rsa.misc.autorun_type`*:: +*`rsa.misc.autorun_type`*:: + -- This is used to capture Auto Run type @@ -54630,7 +55026,7 @@ type: keyword -- -*`fortinet.rsa.misc.cc_number`*:: +*`rsa.misc.cc_number`*:: + -- Valid Credit Card Numbers only @@ -54639,7 +55035,7 @@ type: long -- -*`fortinet.rsa.misc.content`*:: +*`rsa.misc.content`*:: + -- This key captures the content type from protocol headers @@ -54648,7 +55044,7 @@ type: keyword -- -*`fortinet.rsa.misc.ein_number`*:: +*`rsa.misc.ein_number`*:: + -- Employee Identification Numbers only @@ -54657,7 +55053,7 @@ type: long -- -*`fortinet.rsa.misc.found`*:: +*`rsa.misc.found`*:: + -- This is used to capture the results of regex match @@ -54666,7 +55062,7 @@ type: keyword -- -*`fortinet.rsa.misc.language`*:: +*`rsa.misc.language`*:: + -- This is used to capture list of languages the client support and what it prefers @@ -54675,7 +55071,7 @@ type: keyword -- -*`fortinet.rsa.misc.lifetime`*:: +*`rsa.misc.lifetime`*:: + -- This key is used to capture the session lifetime in seconds. @@ -54684,7 +55080,7 @@ type: long -- -*`fortinet.rsa.misc.link`*:: +*`rsa.misc.link`*:: + -- This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -54693,7 +55089,7 @@ type: keyword -- -*`fortinet.rsa.misc.match`*:: +*`rsa.misc.match`*:: + -- This key is for regex match name from search.ini @@ -54702,7 +55098,7 @@ type: keyword -- -*`fortinet.rsa.misc.param_dst`*:: +*`rsa.misc.param_dst`*:: + -- This key captures the command line/launch argument of the target process or file @@ -54711,7 +55107,7 @@ type: keyword -- -*`fortinet.rsa.misc.param_src`*:: +*`rsa.misc.param_src`*:: + -- This key captures source parameter @@ -54720,7 +55116,7 @@ type: keyword -- -*`fortinet.rsa.misc.search_text`*:: +*`rsa.misc.search_text`*:: + -- This key captures the Search Text used @@ -54729,7 +55125,7 @@ type: keyword -- -*`fortinet.rsa.misc.sig_name`*:: +*`rsa.misc.sig_name`*:: + -- This key is used to capture the Signature Name only. @@ -54738,7 +55134,7 @@ type: keyword -- -*`fortinet.rsa.misc.snmp_value`*:: +*`rsa.misc.snmp_value`*:: + -- SNMP set request value @@ -54747,7 +55143,7 @@ type: keyword -- -*`fortinet.rsa.misc.streams`*:: +*`rsa.misc.streams`*:: + -- This key captures number of streams in session @@ -54757,7 +55153,7 @@ type: long -- -*`fortinet.rsa.db.index`*:: +*`rsa.db.index`*:: + -- This key captures IndexID of the index. @@ -54766,7 +55162,7 @@ type: keyword -- -*`fortinet.rsa.db.instance`*:: +*`rsa.db.instance`*:: + -- This key is used to capture the database server instance name @@ -54775,7 +55171,7 @@ type: keyword -- -*`fortinet.rsa.db.database`*:: +*`rsa.db.database`*:: + -- This key is used to capture the name of a database or an instance as seen in a session @@ -54784,7 +55180,7 @@ type: keyword -- -*`fortinet.rsa.db.transact_id`*:: +*`rsa.db.transact_id`*:: + -- This key captures the SQL transantion ID of the current session @@ -54793,7 +55189,7 @@ type: keyword -- -*`fortinet.rsa.db.permissions`*:: +*`rsa.db.permissions`*:: + -- This key captures permission or privilege level assigned to a resource. @@ -54802,7 +55198,7 @@ type: keyword -- -*`fortinet.rsa.db.table_name`*:: +*`rsa.db.table_name`*:: + -- This key is used to capture the table name @@ -54811,7 +55207,7 @@ type: keyword -- -*`fortinet.rsa.db.db_id`*:: +*`rsa.db.db_id`*:: + -- This key is used to capture the unique identifier for a database @@ -54820,7 +55216,7 @@ type: keyword -- -*`fortinet.rsa.db.db_pid`*:: +*`rsa.db.db_pid`*:: + -- This key captures the process id of a connection with database server @@ -54829,7 +55225,7 @@ type: long -- -*`fortinet.rsa.db.lread`*:: +*`rsa.db.lread`*:: + -- This key is used for the number of logical reads @@ -54838,7 +55234,7 @@ type: long -- -*`fortinet.rsa.db.lwrite`*:: +*`rsa.db.lwrite`*:: + -- This key is used for the number of logical writes @@ -54847,7 +55243,7 @@ type: long -- -*`fortinet.rsa.db.pread`*:: +*`rsa.db.pread`*:: + -- This key is used for the number of physical writes @@ -54857,7 +55253,7 @@ type: long -- -*`fortinet.rsa.network.alias_host`*:: +*`rsa.network.alias_host`*:: + -- This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. @@ -54866,14 +55262,14 @@ type: keyword -- -*`fortinet.rsa.network.domain`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`fortinet.rsa.network.host_dst`*:: +*`rsa.network.host_dst`*:: + -- This key should only be used when it’s a Destination Hostname @@ -54882,7 +55278,7 @@ type: keyword -- -*`fortinet.rsa.network.network_service`*:: +*`rsa.network.network_service`*:: + -- This is used to capture layer 7 protocols/service names @@ -54891,7 +55287,7 @@ type: keyword -- -*`fortinet.rsa.network.interface`*:: +*`rsa.network.interface`*:: + -- This key should be used when the source or destination context of an interface is not clear @@ -54900,7 +55296,7 @@ type: keyword -- -*`fortinet.rsa.network.network_port`*:: +*`rsa.network.network_port`*:: + -- Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) @@ -54909,7 +55305,7 @@ type: long -- -*`fortinet.rsa.network.eth_host`*:: +*`rsa.network.eth_host`*:: + -- Deprecated, use alias.mac @@ -54918,7 +55314,7 @@ type: keyword -- -*`fortinet.rsa.network.sinterface`*:: +*`rsa.network.sinterface`*:: + -- This key should only be used when it’s a Source Interface @@ -54927,7 +55323,7 @@ type: keyword -- -*`fortinet.rsa.network.dinterface`*:: +*`rsa.network.dinterface`*:: + -- This key should only be used when it’s a Destination Interface @@ -54936,7 +55332,7 @@ type: keyword -- -*`fortinet.rsa.network.vlan`*:: +*`rsa.network.vlan`*:: + -- This key should only be used to capture the ID of the Virtual LAN @@ -54945,7 +55341,7 @@ type: long -- -*`fortinet.rsa.network.zone_src`*:: +*`rsa.network.zone_src`*:: + -- This key should only be used when it’s a Source Zone. @@ -54954,7 +55350,7 @@ type: keyword -- -*`fortinet.rsa.network.zone`*:: +*`rsa.network.zone`*:: + -- This key should be used when the source or destination context of a Zone is not clear @@ -54963,7 +55359,7 @@ type: keyword -- -*`fortinet.rsa.network.zone_dst`*:: +*`rsa.network.zone_dst`*:: + -- This key should only be used when it’s a Destination Zone. @@ -54972,7 +55368,7 @@ type: keyword -- -*`fortinet.rsa.network.gateway`*:: +*`rsa.network.gateway`*:: + -- This key is used to capture the IP Address of the gateway @@ -54981,7 +55377,7 @@ type: keyword -- -*`fortinet.rsa.network.icmp_type`*:: +*`rsa.network.icmp_type`*:: + -- This key is used to capture the ICMP type only @@ -54990,7 +55386,7 @@ type: long -- -*`fortinet.rsa.network.mask`*:: +*`rsa.network.mask`*:: + -- This key is used to capture the device network IPmask. @@ -54999,7 +55395,7 @@ type: keyword -- -*`fortinet.rsa.network.icmp_code`*:: +*`rsa.network.icmp_code`*:: + -- This key is used to capture the ICMP code only @@ -55008,7 +55404,7 @@ type: long -- -*`fortinet.rsa.network.protocol_detail`*:: +*`rsa.network.protocol_detail`*:: + -- This key should be used to capture additional protocol information @@ -55017,7 +55413,7 @@ type: keyword -- -*`fortinet.rsa.network.dmask`*:: +*`rsa.network.dmask`*:: + -- This key is used for Destionation Device network mask @@ -55026,7 +55422,7 @@ type: keyword -- -*`fortinet.rsa.network.port`*:: +*`rsa.network.port`*:: + -- This key should only be used to capture a Network Port when the directionality is not clear @@ -55035,7 +55431,7 @@ type: long -- -*`fortinet.rsa.network.smask`*:: +*`rsa.network.smask`*:: + -- This key is used for capturing source Network Mask @@ -55044,7 +55440,7 @@ type: keyword -- -*`fortinet.rsa.network.netname`*:: +*`rsa.network.netname`*:: + -- This key is used to capture the network name associated with an IP range. This is configured by the end user. @@ -55053,7 +55449,7 @@ type: keyword -- -*`fortinet.rsa.network.paddr`*:: +*`rsa.network.paddr`*:: + -- Deprecated @@ -55062,91 +55458,91 @@ type: ip -- -*`fortinet.rsa.network.faddr`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`fortinet.rsa.network.lhost`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`fortinet.rsa.network.origin`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`fortinet.rsa.network.remote_domain_id`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`fortinet.rsa.network.addr`*:: +*`rsa.network.addr`*:: + -- type: keyword -- -*`fortinet.rsa.network.dns_a_record`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`fortinet.rsa.network.dns_ptr_record`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`fortinet.rsa.network.fhost`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`fortinet.rsa.network.fport`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`fortinet.rsa.network.laddr`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`fortinet.rsa.network.linterface`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`fortinet.rsa.network.phost`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`fortinet.rsa.network.ad_computer_dst`*:: +*`rsa.network.ad_computer_dst`*:: + -- Deprecated, use host.dst @@ -55155,7 +55551,7 @@ type: keyword -- -*`fortinet.rsa.network.eth_type`*:: +*`rsa.network.eth_type`*:: + -- This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only @@ -55164,7 +55560,7 @@ type: long -- -*`fortinet.rsa.network.ip_proto`*:: +*`rsa.network.ip_proto`*:: + -- This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI @@ -55173,63 +55569,63 @@ type: long -- -*`fortinet.rsa.network.dns_cname_record`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`fortinet.rsa.network.dns_id`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`fortinet.rsa.network.dns_opcode`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`fortinet.rsa.network.dns_resp`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`fortinet.rsa.network.dns_type`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`fortinet.rsa.network.domain1`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`fortinet.rsa.network.host_type`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`fortinet.rsa.network.packet_length`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`fortinet.rsa.network.host_orig`*:: +*`rsa.network.host_orig`*:: + -- This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. @@ -55238,7 +55634,7 @@ type: keyword -- -*`fortinet.rsa.network.rpayload`*:: +*`rsa.network.rpayload`*:: + -- This key is used to capture the total number of payload bytes seen in the retransmitted packets. @@ -55247,7 +55643,7 @@ type: keyword -- -*`fortinet.rsa.network.vlan_name`*:: +*`rsa.network.vlan_name`*:: + -- This key should only be used to capture the name of the Virtual LAN @@ -55257,7 +55653,7 @@ type: keyword -- -*`fortinet.rsa.investigations.ec_activity`*:: +*`rsa.investigations.ec_activity`*:: + -- This key captures the particular event activity(Ex:Logoff) @@ -55266,7 +55662,7 @@ type: keyword -- -*`fortinet.rsa.investigations.ec_theme`*:: +*`rsa.investigations.ec_theme`*:: + -- This key captures the Theme of a particular Event(Ex:Authentication) @@ -55275,7 +55671,7 @@ type: keyword -- -*`fortinet.rsa.investigations.ec_subject`*:: +*`rsa.investigations.ec_subject`*:: + -- This key captures the Subject of a particular Event(Ex:User) @@ -55284,7 +55680,7 @@ type: keyword -- -*`fortinet.rsa.investigations.ec_outcome`*:: +*`rsa.investigations.ec_outcome`*:: + -- This key captures the outcome of a particular Event(Ex:Success) @@ -55293,7 +55689,7 @@ type: keyword -- -*`fortinet.rsa.investigations.event_cat`*:: +*`rsa.investigations.event_cat`*:: + -- This key captures the Event category number @@ -55302,7 +55698,7 @@ type: long -- -*`fortinet.rsa.investigations.event_cat_name`*:: +*`rsa.investigations.event_cat_name`*:: + -- This key captures the event category name corresponding to the event cat code @@ -55311,7 +55707,7 @@ type: keyword -- -*`fortinet.rsa.investigations.event_vcat`*:: +*`rsa.investigations.event_vcat`*:: + -- This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. @@ -55320,7 +55716,7 @@ type: keyword -- -*`fortinet.rsa.investigations.analysis_file`*:: +*`rsa.investigations.analysis_file`*:: + -- This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file @@ -55329,7 +55725,7 @@ type: keyword -- -*`fortinet.rsa.investigations.analysis_service`*:: +*`rsa.investigations.analysis_service`*:: + -- This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service @@ -55338,7 +55734,7 @@ type: keyword -- -*`fortinet.rsa.investigations.analysis_session`*:: +*`rsa.investigations.analysis_session`*:: + -- This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session @@ -55347,7 +55743,7 @@ type: keyword -- -*`fortinet.rsa.investigations.boc`*:: +*`rsa.investigations.boc`*:: + -- This is used to capture behaviour of compromise @@ -55356,7 +55752,7 @@ type: keyword -- -*`fortinet.rsa.investigations.eoc`*:: +*`rsa.investigations.eoc`*:: + -- This is used to capture Enablers of Compromise @@ -55365,7 +55761,7 @@ type: keyword -- -*`fortinet.rsa.investigations.inv_category`*:: +*`rsa.investigations.inv_category`*:: + -- This used to capture investigation category @@ -55374,7 +55770,7 @@ type: keyword -- -*`fortinet.rsa.investigations.inv_context`*:: +*`rsa.investigations.inv_context`*:: + -- This used to capture investigation context @@ -55383,7 +55779,7 @@ type: keyword -- -*`fortinet.rsa.investigations.ioc`*:: +*`rsa.investigations.ioc`*:: + -- This is key capture indicator of compromise @@ -55393,7 +55789,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_c1`*:: +*`rsa.counters.dclass_c1`*:: + -- This is a generic counter key that should be used with the label dclass.c1.str only @@ -55402,7 +55798,7 @@ type: long -- -*`fortinet.rsa.counters.dclass_c2`*:: +*`rsa.counters.dclass_c2`*:: + -- This is a generic counter key that should be used with the label dclass.c2.str only @@ -55411,7 +55807,7 @@ type: long -- -*`fortinet.rsa.counters.event_counter`*:: +*`rsa.counters.event_counter`*:: + -- This is used to capture the number of times an event repeated @@ -55420,7 +55816,7 @@ type: long -- -*`fortinet.rsa.counters.dclass_r1`*:: +*`rsa.counters.dclass_r1`*:: + -- This is a generic ratio key that should be used with the label dclass.r1.str only @@ -55429,7 +55825,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_c3`*:: +*`rsa.counters.dclass_c3`*:: + -- This is a generic counter key that should be used with the label dclass.c3.str only @@ -55438,7 +55834,7 @@ type: long -- -*`fortinet.rsa.counters.dclass_c1_str`*:: +*`rsa.counters.dclass_c1_str`*:: + -- This is a generic counter string key that should be used with the label dclass.c1 only @@ -55447,7 +55843,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_c2_str`*:: +*`rsa.counters.dclass_c2_str`*:: + -- This is a generic counter string key that should be used with the label dclass.c2 only @@ -55456,7 +55852,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_r1_str`*:: +*`rsa.counters.dclass_r1_str`*:: + -- This is a generic ratio string key that should be used with the label dclass.r1 only @@ -55465,7 +55861,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_r2`*:: +*`rsa.counters.dclass_r2`*:: + -- This is a generic ratio key that should be used with the label dclass.r2.str only @@ -55474,7 +55870,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_c3_str`*:: +*`rsa.counters.dclass_c3_str`*:: + -- This is a generic counter string key that should be used with the label dclass.c3 only @@ -55483,7 +55879,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_r3`*:: +*`rsa.counters.dclass_r3`*:: + -- This is a generic ratio key that should be used with the label dclass.r3.str only @@ -55492,7 +55888,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_r2_str`*:: +*`rsa.counters.dclass_r2_str`*:: + -- This is a generic ratio string key that should be used with the label dclass.r2 only @@ -55501,7 +55897,7 @@ type: keyword -- -*`fortinet.rsa.counters.dclass_r3_str`*:: +*`rsa.counters.dclass_r3_str`*:: + -- This is a generic ratio string key that should be used with the label dclass.r3 only @@ -55511,7 +55907,7 @@ type: keyword -- -*`fortinet.rsa.identity.auth_method`*:: +*`rsa.identity.auth_method`*:: + -- This key is used to capture authentication methods used only @@ -55520,7 +55916,7 @@ type: keyword -- -*`fortinet.rsa.identity.user_role`*:: +*`rsa.identity.user_role`*:: + -- This key is used to capture the Role of a user only @@ -55529,7 +55925,7 @@ type: keyword -- -*`fortinet.rsa.identity.dn`*:: +*`rsa.identity.dn`*:: + -- X.500 (LDAP) Distinguished Name @@ -55538,7 +55934,7 @@ type: keyword -- -*`fortinet.rsa.identity.logon_type`*:: +*`rsa.identity.logon_type`*:: + -- This key is used to capture the type of logon method used. @@ -55547,7 +55943,7 @@ type: keyword -- -*`fortinet.rsa.identity.profile`*:: +*`rsa.identity.profile`*:: + -- This key is used to capture the user profile @@ -55556,7 +55952,7 @@ type: keyword -- -*`fortinet.rsa.identity.accesses`*:: +*`rsa.identity.accesses`*:: + -- This key is used to capture actual privileges used in accessing an object @@ -55565,7 +55961,7 @@ type: keyword -- -*`fortinet.rsa.identity.realm`*:: +*`rsa.identity.realm`*:: + -- Radius realm or similar grouping of accounts @@ -55574,7 +55970,7 @@ type: keyword -- -*`fortinet.rsa.identity.user_sid_dst`*:: +*`rsa.identity.user_sid_dst`*:: + -- This key captures Destination User Session ID @@ -55583,7 +55979,7 @@ type: keyword -- -*`fortinet.rsa.identity.dn_src`*:: +*`rsa.identity.dn_src`*:: + -- An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn @@ -55592,7 +55988,7 @@ type: keyword -- -*`fortinet.rsa.identity.org`*:: +*`rsa.identity.org`*:: + -- This key captures the User organization @@ -55601,7 +55997,7 @@ type: keyword -- -*`fortinet.rsa.identity.dn_dst`*:: +*`rsa.identity.dn_dst`*:: + -- An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn @@ -55610,7 +56006,7 @@ type: keyword -- -*`fortinet.rsa.identity.firstname`*:: +*`rsa.identity.firstname`*:: + -- This key is for First Names only, this is used for Healthcare predominantly to capture Patients information @@ -55619,7 +56015,7 @@ type: keyword -- -*`fortinet.rsa.identity.lastname`*:: +*`rsa.identity.lastname`*:: + -- This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information @@ -55628,7 +56024,7 @@ type: keyword -- -*`fortinet.rsa.identity.user_dept`*:: +*`rsa.identity.user_dept`*:: + -- User's Department Names only @@ -55637,7 +56033,7 @@ type: keyword -- -*`fortinet.rsa.identity.user_sid_src`*:: +*`rsa.identity.user_sid_src`*:: + -- This key captures Source User Session ID @@ -55646,7 +56042,7 @@ type: keyword -- -*`fortinet.rsa.identity.federated_sp`*:: +*`rsa.identity.federated_sp`*:: + -- This key is the Federated Service Provider. This is the application requesting authentication. @@ -55655,7 +56051,7 @@ type: keyword -- -*`fortinet.rsa.identity.federated_idp`*:: +*`rsa.identity.federated_idp`*:: + -- This key is the federated Identity Provider. This is the server providing the authentication. @@ -55664,7 +56060,7 @@ type: keyword -- -*`fortinet.rsa.identity.logon_type_desc`*:: +*`rsa.identity.logon_type_desc`*:: + -- This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. @@ -55673,7 +56069,7 @@ type: keyword -- -*`fortinet.rsa.identity.middlename`*:: +*`rsa.identity.middlename`*:: + -- This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information @@ -55682,7 +56078,7 @@ type: keyword -- -*`fortinet.rsa.identity.password`*:: +*`rsa.identity.password`*:: + -- This key is for Passwords seen in any session, plain text or encrypted @@ -55691,7 +56087,7 @@ type: keyword -- -*`fortinet.rsa.identity.host_role`*:: +*`rsa.identity.host_role`*:: + -- This key should only be used to capture the role of a Host Machine @@ -55700,7 +56096,7 @@ type: keyword -- -*`fortinet.rsa.identity.ldap`*:: +*`rsa.identity.ldap`*:: + -- This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context @@ -55709,7 +56105,7 @@ type: keyword -- -*`fortinet.rsa.identity.ldap_query`*:: +*`rsa.identity.ldap_query`*:: + -- This key is the Search criteria from an LDAP search @@ -55718,7 +56114,7 @@ type: keyword -- -*`fortinet.rsa.identity.ldap_response`*:: +*`rsa.identity.ldap_response`*:: + -- This key is to capture Results from an LDAP search @@ -55727,7 +56123,7 @@ type: keyword -- -*`fortinet.rsa.identity.owner`*:: +*`rsa.identity.owner`*:: + -- This is used to capture username the process or service is running as, the author of the task @@ -55736,7 +56132,7 @@ type: keyword -- -*`fortinet.rsa.identity.service_account`*:: +*`rsa.identity.service_account`*:: + -- This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage @@ -55746,7 +56142,7 @@ type: keyword -- -*`fortinet.rsa.email.email_dst`*:: +*`rsa.email.email_dst`*:: + -- This key is used to capture the Destination email address only, when the destination context is not clear use email @@ -55755,7 +56151,7 @@ type: keyword -- -*`fortinet.rsa.email.email_src`*:: +*`rsa.email.email_src`*:: + -- This key is used to capture the source email address only, when the source context is not clear use email @@ -55764,7 +56160,7 @@ type: keyword -- -*`fortinet.rsa.email.subject`*:: +*`rsa.email.subject`*:: + -- This key is used to capture the subject string from an Email only. @@ -55773,7 +56169,7 @@ type: keyword -- -*`fortinet.rsa.email.email`*:: +*`rsa.email.email`*:: + -- This key is used to capture a generic email address where the source or destination context is not clear @@ -55782,7 +56178,7 @@ type: keyword -- -*`fortinet.rsa.email.trans_from`*:: +*`rsa.email.trans_from`*:: + -- Deprecated key defined only in table map. @@ -55791,7 +56187,7 @@ type: keyword -- -*`fortinet.rsa.email.trans_to`*:: +*`rsa.email.trans_to`*:: + -- Deprecated key defined only in table map. @@ -55801,7 +56197,7 @@ type: keyword -- -*`fortinet.rsa.file.privilege`*:: +*`rsa.file.privilege`*:: + -- Deprecated, use permissions @@ -55810,7 +56206,7 @@ type: keyword -- -*`fortinet.rsa.file.attachment`*:: +*`rsa.file.attachment`*:: + -- This key captures the attachment file name @@ -55819,14 +56215,14 @@ type: keyword -- -*`fortinet.rsa.file.filesystem`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`fortinet.rsa.file.binary`*:: +*`rsa.file.binary`*:: + -- Deprecated key defined only in table map. @@ -55835,7 +56231,7 @@ type: keyword -- -*`fortinet.rsa.file.filename_dst`*:: +*`rsa.file.filename_dst`*:: + -- This is used to capture name of the file targeted by the action @@ -55844,7 +56240,7 @@ type: keyword -- -*`fortinet.rsa.file.filename_src`*:: +*`rsa.file.filename_src`*:: + -- This is used to capture name of the parent filename, the file which performed the action @@ -55853,14 +56249,14 @@ type: keyword -- -*`fortinet.rsa.file.filename_tmp`*:: +*`rsa.file.filename_tmp`*:: + -- type: keyword -- -*`fortinet.rsa.file.directory_dst`*:: +*`rsa.file.directory_dst`*:: + -- This key is used to capture the directory of the target process or file @@ -55869,7 +56265,7 @@ type: keyword -- -*`fortinet.rsa.file.directory_src`*:: +*`rsa.file.directory_src`*:: + -- This key is used to capture the directory of the source process or file @@ -55878,7 +56274,7 @@ type: keyword -- -*`fortinet.rsa.file.file_entropy`*:: +*`rsa.file.file_entropy`*:: + -- This is used to capture entropy vale of a file @@ -55887,7 +56283,7 @@ type: double -- -*`fortinet.rsa.file.file_vendor`*:: +*`rsa.file.file_vendor`*:: + -- This is used to capture Company name of file located in version_info @@ -55896,7 +56292,7 @@ type: keyword -- -*`fortinet.rsa.file.task_name`*:: +*`rsa.file.task_name`*:: + -- This is used to capture name of the task @@ -55906,7 +56302,7 @@ type: keyword -- -*`fortinet.rsa.web.fqdn`*:: +*`rsa.web.fqdn`*:: + -- Fully Qualified Domain Names @@ -55915,7 +56311,7 @@ type: keyword -- -*`fortinet.rsa.web.web_cookie`*:: +*`rsa.web.web_cookie`*:: + -- This key is used to capture the Web cookies specifically. @@ -55924,14 +56320,14 @@ type: keyword -- -*`fortinet.rsa.web.alias_host`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`fortinet.rsa.web.reputation_num`*:: +*`rsa.web.reputation_num`*:: + -- Reputation Number of an entity. Typically used for Web Domains @@ -55940,7 +56336,7 @@ type: double -- -*`fortinet.rsa.web.web_ref_domain`*:: +*`rsa.web.web_ref_domain`*:: + -- Web referer's domain @@ -55949,7 +56345,7 @@ type: keyword -- -*`fortinet.rsa.web.web_ref_query`*:: +*`rsa.web.web_ref_query`*:: + -- This key captures Web referer's query portion of the URL @@ -55958,14 +56354,14 @@ type: keyword -- -*`fortinet.rsa.web.remote_domain`*:: +*`rsa.web.remote_domain`*:: + -- type: keyword -- -*`fortinet.rsa.web.web_ref_page`*:: +*`rsa.web.web_ref_page`*:: + -- This key captures Web referer's page information @@ -55974,7 +56370,7 @@ type: keyword -- -*`fortinet.rsa.web.web_ref_root`*:: +*`rsa.web.web_ref_root`*:: + -- Web referer's root URL path @@ -55983,77 +56379,77 @@ type: keyword -- -*`fortinet.rsa.web.cn_asn_dst`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`fortinet.rsa.web.cn_rpackets`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`fortinet.rsa.web.urlpage`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`fortinet.rsa.web.urlroot`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`fortinet.rsa.web.p_url`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`fortinet.rsa.web.p_user_agent`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`fortinet.rsa.web.p_web_cookie`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`fortinet.rsa.web.p_web_method`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`fortinet.rsa.web.p_web_referer`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`fortinet.rsa.web.web_extension_tmp`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`fortinet.rsa.web.web_page`*:: +*`rsa.web.web_page`*:: + -- type: keyword @@ -56061,7 +56457,7 @@ type: keyword -- -*`fortinet.rsa.threat.threat_category`*:: +*`rsa.threat.threat_category`*:: + -- This key captures Threat Name/Threat Category/Categorization of alert @@ -56070,7 +56466,7 @@ type: keyword -- -*`fortinet.rsa.threat.threat_desc`*:: +*`rsa.threat.threat_desc`*:: + -- This key is used to capture the threat description from the session directly or inferred @@ -56079,7 +56475,7 @@ type: keyword -- -*`fortinet.rsa.threat.alert`*:: +*`rsa.threat.alert`*:: + -- This key is used to capture name of the alert @@ -56088,7 +56484,7 @@ type: keyword -- -*`fortinet.rsa.threat.threat_source`*:: +*`rsa.threat.threat_source`*:: + -- This key is used to capture source of the threat @@ -56098,7 +56494,7 @@ type: keyword -- -*`fortinet.rsa.crypto.crypto`*:: +*`rsa.crypto.crypto`*:: + -- This key is used to capture the Encryption Type or Encryption Key only @@ -56107,7 +56503,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cipher_src`*:: +*`rsa.crypto.cipher_src`*:: + -- This key is for Source (Client) Cipher @@ -56116,7 +56512,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cert_subject`*:: +*`rsa.crypto.cert_subject`*:: + -- This key is used to capture the Certificate organization only @@ -56125,7 +56521,7 @@ type: keyword -- -*`fortinet.rsa.crypto.peer`*:: +*`rsa.crypto.peer`*:: + -- This key is for Encryption peer's IP Address @@ -56134,7 +56530,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cipher_size_src`*:: +*`rsa.crypto.cipher_size_src`*:: + -- This key captures Source (Client) Cipher Size @@ -56143,7 +56539,7 @@ type: long -- -*`fortinet.rsa.crypto.ike`*:: +*`rsa.crypto.ike`*:: + -- IKE negotiation phase. @@ -56152,7 +56548,7 @@ type: keyword -- -*`fortinet.rsa.crypto.scheme`*:: +*`rsa.crypto.scheme`*:: + -- This key captures the Encryption scheme used @@ -56161,7 +56557,7 @@ type: keyword -- -*`fortinet.rsa.crypto.peer_id`*:: +*`rsa.crypto.peer_id`*:: + -- This key is for Encryption peer’s identity @@ -56170,7 +56566,7 @@ type: keyword -- -*`fortinet.rsa.crypto.sig_type`*:: +*`rsa.crypto.sig_type`*:: + -- This key captures the Signature Type @@ -56179,14 +56575,14 @@ type: keyword -- -*`fortinet.rsa.crypto.cert_issuer`*:: +*`rsa.crypto.cert_issuer`*:: + -- type: keyword -- -*`fortinet.rsa.crypto.cert_host_name`*:: +*`rsa.crypto.cert_host_name`*:: + -- Deprecated key defined only in table map. @@ -56195,7 +56591,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cert_error`*:: +*`rsa.crypto.cert_error`*:: + -- This key captures the Certificate Error String @@ -56204,7 +56600,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cipher_dst`*:: +*`rsa.crypto.cipher_dst`*:: + -- This key is for Destination (Server) Cipher @@ -56213,7 +56609,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cipher_size_dst`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- This key captures Destination (Server) Cipher Size @@ -56222,7 +56618,7 @@ type: long -- -*`fortinet.rsa.crypto.ssl_ver_src`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- Deprecated, use version @@ -56231,21 +56627,21 @@ type: keyword -- -*`fortinet.rsa.crypto.d_certauth`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- -*`fortinet.rsa.crypto.s_certauth`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`fortinet.rsa.crypto.ike_cookie1`*:: +*`rsa.crypto.ike_cookie1`*:: + -- ID of the negotiation — sent for ISAKMP Phase One @@ -56254,7 +56650,7 @@ type: keyword -- -*`fortinet.rsa.crypto.ike_cookie2`*:: +*`rsa.crypto.ike_cookie2`*:: + -- ID of the negotiation — sent for ISAKMP Phase Two @@ -56263,14 +56659,14 @@ type: keyword -- -*`fortinet.rsa.crypto.cert_checksum`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`fortinet.rsa.crypto.cert_host_cat`*:: +*`rsa.crypto.cert_host_cat`*:: + -- This key is used for the hostname category value of a certificate @@ -56279,7 +56675,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cert_serial`*:: +*`rsa.crypto.cert_serial`*:: + -- This key is used to capture the Certificate serial number only @@ -56288,7 +56684,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cert_status`*:: +*`rsa.crypto.cert_status`*:: + -- This key captures Certificate validation status @@ -56297,7 +56693,7 @@ type: keyword -- -*`fortinet.rsa.crypto.ssl_ver_dst`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- Deprecated, use version @@ -56306,35 +56702,35 @@ type: keyword -- -*`fortinet.rsa.crypto.cert_keysize`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`fortinet.rsa.crypto.cert_username`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`fortinet.rsa.crypto.https_insact`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`fortinet.rsa.crypto.https_valid`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`fortinet.rsa.crypto.cert_ca`*:: +*`rsa.crypto.cert_ca`*:: + -- This key is used to capture the Certificate signing authority only @@ -56343,7 +56739,7 @@ type: keyword -- -*`fortinet.rsa.crypto.cert_common`*:: +*`rsa.crypto.cert_common`*:: + -- This key is used to capture the Certificate common name only @@ -56353,7 +56749,7 @@ type: keyword -- -*`fortinet.rsa.wireless.wlan_ssid`*:: +*`rsa.wireless.wlan_ssid`*:: + -- This key is used to capture the ssid of a Wireless Session @@ -56362,7 +56758,7 @@ type: keyword -- -*`fortinet.rsa.wireless.access_point`*:: +*`rsa.wireless.access_point`*:: + -- This key is used to capture the access point name. @@ -56371,7 +56767,7 @@ type: keyword -- -*`fortinet.rsa.wireless.wlan_channel`*:: +*`rsa.wireless.wlan_channel`*:: + -- This is used to capture the channel names @@ -56380,7 +56776,7 @@ type: long -- -*`fortinet.rsa.wireless.wlan_name`*:: +*`rsa.wireless.wlan_name`*:: + -- This key captures either WLAN number/name @@ -56390,7 +56786,7 @@ type: keyword -- -*`fortinet.rsa.storage.disk_volume`*:: +*`rsa.storage.disk_volume`*:: + -- A unique name assigned to logical units (volumes) within a physical disk @@ -56399,7 +56795,7 @@ type: keyword -- -*`fortinet.rsa.storage.lun`*:: +*`rsa.storage.lun`*:: + -- Logical Unit Number.This key is a very useful concept in Storage. @@ -56408,7 +56804,7 @@ type: keyword -- -*`fortinet.rsa.storage.pwwn`*:: +*`rsa.storage.pwwn`*:: + -- This uniquely identifies a port on a HBA. @@ -56418,7 +56814,7 @@ type: keyword -- -*`fortinet.rsa.physical.org_dst`*:: +*`rsa.physical.org_dst`*:: + -- This is used to capture the destination organization based on the GEOPIP Maxmind database. @@ -56427,7 +56823,7 @@ type: keyword -- -*`fortinet.rsa.physical.org_src`*:: +*`rsa.physical.org_src`*:: + -- This is used to capture the source organization based on the GEOPIP Maxmind database. @@ -56437,7 +56833,7 @@ type: keyword -- -*`fortinet.rsa.healthcare.patient_fname`*:: +*`rsa.healthcare.patient_fname`*:: + -- This key is for First Names only, this is used for Healthcare predominantly to capture Patients information @@ -56446,7 +56842,7 @@ type: keyword -- -*`fortinet.rsa.healthcare.patient_id`*:: +*`rsa.healthcare.patient_id`*:: + -- This key captures the unique ID for a patient @@ -56455,7 +56851,7 @@ type: keyword -- -*`fortinet.rsa.healthcare.patient_lname`*:: +*`rsa.healthcare.patient_lname`*:: + -- This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information @@ -56464,7 +56860,7 @@ type: keyword -- -*`fortinet.rsa.healthcare.patient_mname`*:: +*`rsa.healthcare.patient_mname`*:: + -- This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information @@ -56474,7 +56870,7 @@ type: keyword -- -*`fortinet.rsa.endpoint.host_state`*:: +*`rsa.endpoint.host_state`*:: + -- This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on @@ -56483,7 +56879,7 @@ type: keyword -- -*`fortinet.rsa.endpoint.registry_key`*:: +*`rsa.endpoint.registry_key`*:: + -- This key captures the path to the registry key @@ -56492,11 +56888,28 @@ type: keyword -- -*`fortinet.rsa.endpoint.registry_value`*:: +*`rsa.endpoint.registry_value`*:: + -- This key captures values or decorators used within a registry entry +type: keyword + +-- + +[float] +=== fortinet + +Fields from fortinet FortiOS + + + +*`fortinet.file.hash.crc32`*:: ++ +-- +CRC32 Hash of file + + type: keyword -- @@ -56661,7 +57074,7 @@ type: keyword *`fortinet.firewall.analyticssubmit`*:: + -- -The flag for analytics submission +The flag for analytics submission type: keyword @@ -57761,7 +58174,7 @@ type: keyword *`fortinet.firewall.ds`*:: + -- -Direction with distribution system +Direction with distribution system type: keyword @@ -57941,7 +58354,7 @@ type: keyword *`fortinet.firewall.eapolcnt`*:: + -- -EAPOL packet count +EAPOL packet count type: integer @@ -57961,7 +58374,7 @@ type: keyword *`fortinet.firewall.encrypt`*:: + -- -Whether the packet is encrypted or not +Whether the packet is encrypted or not type: integer @@ -58041,7 +58454,7 @@ type: keyword *`fortinet.firewall.expiry`*:: + -- -FortiGuard override expiry timestamp +FortiGuard override expiry timestamp type: keyword @@ -59801,7 +60214,7 @@ type: keyword *`fortinet.firewall.shapersentname`*:: + -- -Traffic shaper name for sent traffic +Traffic shaper name for sent traffic type: keyword @@ -60281,7 +60694,7 @@ type: integer *`fortinet.firewall.totalsession`*:: + -- -Total Number of Sessions +Total Number of Sessions type: integer @@ -86793,14 +87206,7 @@ Microsoft Module [float] -=== microsoft - -Fields from Microsoft ATP - - - -[float] -=== defender_atp +=== microsoft.defender_atp Module for ingesting Microsoft Defender ATP. @@ -86976,7 +87382,7 @@ type: keyword -- -*`microsoft.network.interface.name`*:: +*`network.interface.name`*:: + -- Name of the network interface where the traffic has been observed. @@ -86988,7 +87394,7 @@ type: keyword -*`microsoft.rsa.internal.msg`*:: +*`rsa.internal.msg`*:: + -- This key is used to capture the raw message that comes into the Log Decoder @@ -86997,21 +87403,21 @@ type: keyword -- -*`microsoft.rsa.internal.messageid`*:: +*`rsa.internal.messageid`*:: + -- type: keyword -- -*`microsoft.rsa.internal.event_desc`*:: +*`rsa.internal.event_desc`*:: + -- type: keyword -- -*`microsoft.rsa.internal.message`*:: +*`rsa.internal.message`*:: + -- This key captures the contents of instant messages @@ -87020,7 +87426,7 @@ type: keyword -- -*`microsoft.rsa.internal.time`*:: +*`rsa.internal.time`*:: + -- This is the time at which a session hits a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. @@ -87029,7 +87435,7 @@ type: date -- -*`microsoft.rsa.internal.level`*:: +*`rsa.internal.level`*:: + -- Deprecated key defined only in table map. @@ -87038,7 +87444,7 @@ type: long -- -*`microsoft.rsa.internal.msg_id`*:: +*`rsa.internal.msg_id`*:: + -- This is the Message ID1 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87047,7 +87453,7 @@ type: keyword -- -*`microsoft.rsa.internal.msg_vid`*:: +*`rsa.internal.msg_vid`*:: + -- This is the Message ID2 value that identifies the exact log parser definition which parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87056,7 +87462,7 @@ type: keyword -- -*`microsoft.rsa.internal.data`*:: +*`rsa.internal.data`*:: + -- Deprecated key defined only in table map. @@ -87065,7 +87471,7 @@ type: keyword -- -*`microsoft.rsa.internal.obj_server`*:: +*`rsa.internal.obj_server`*:: + -- Deprecated key defined only in table map. @@ -87074,7 +87480,7 @@ type: keyword -- -*`microsoft.rsa.internal.obj_val`*:: +*`rsa.internal.obj_val`*:: + -- Deprecated key defined only in table map. @@ -87083,7 +87489,7 @@ type: keyword -- -*`microsoft.rsa.internal.resource`*:: +*`rsa.internal.resource`*:: + -- Deprecated key defined only in table map. @@ -87092,7 +87498,7 @@ type: keyword -- -*`microsoft.rsa.internal.obj_id`*:: +*`rsa.internal.obj_id`*:: + -- Deprecated key defined only in table map. @@ -87101,7 +87507,7 @@ type: keyword -- -*`microsoft.rsa.internal.statement`*:: +*`rsa.internal.statement`*:: + -- Deprecated key defined only in table map. @@ -87110,7 +87516,7 @@ type: keyword -- -*`microsoft.rsa.internal.audit_class`*:: +*`rsa.internal.audit_class`*:: + -- Deprecated key defined only in table map. @@ -87119,7 +87525,7 @@ type: keyword -- -*`microsoft.rsa.internal.entry`*:: +*`rsa.internal.entry`*:: + -- Deprecated key defined only in table map. @@ -87128,7 +87534,7 @@ type: keyword -- -*`microsoft.rsa.internal.hcode`*:: +*`rsa.internal.hcode`*:: + -- Deprecated key defined only in table map. @@ -87137,7 +87543,7 @@ type: keyword -- -*`microsoft.rsa.internal.inode`*:: +*`rsa.internal.inode`*:: + -- Deprecated key defined only in table map. @@ -87146,7 +87552,7 @@ type: long -- -*`microsoft.rsa.internal.resource_class`*:: +*`rsa.internal.resource_class`*:: + -- Deprecated key defined only in table map. @@ -87155,7 +87561,7 @@ type: keyword -- -*`microsoft.rsa.internal.dead`*:: +*`rsa.internal.dead`*:: + -- Deprecated key defined only in table map. @@ -87164,7 +87570,7 @@ type: long -- -*`microsoft.rsa.internal.feed_desc`*:: +*`rsa.internal.feed_desc`*:: + -- This is used to capture the description of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87173,7 +87579,7 @@ type: keyword -- -*`microsoft.rsa.internal.feed_name`*:: +*`rsa.internal.feed_name`*:: + -- This is used to capture the name of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87182,7 +87588,7 @@ type: keyword -- -*`microsoft.rsa.internal.cid`*:: +*`rsa.internal.cid`*:: + -- This is the unique identifier used to identify a NetWitness Concentrator. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87191,7 +87597,7 @@ type: keyword -- -*`microsoft.rsa.internal.device_class`*:: +*`rsa.internal.device_class`*:: + -- This is the Classification of the Log Event Source under a predefined fixed set of Event Source Classifications. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87200,7 +87606,7 @@ type: keyword -- -*`microsoft.rsa.internal.device_group`*:: +*`rsa.internal.device_group`*:: + -- This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87209,7 +87615,7 @@ type: keyword -- -*`microsoft.rsa.internal.device_host`*:: +*`rsa.internal.device_host`*:: + -- This is the Hostname of the log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87218,7 +87624,7 @@ type: keyword -- -*`microsoft.rsa.internal.device_ip`*:: +*`rsa.internal.device_ip`*:: + -- This is the IPv4 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87227,7 +87633,7 @@ type: ip -- -*`microsoft.rsa.internal.device_ipv6`*:: +*`rsa.internal.device_ipv6`*:: + -- This is the IPv6 address of the Log Event Source sending the logs to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87236,7 +87642,7 @@ type: ip -- -*`microsoft.rsa.internal.device_type`*:: +*`rsa.internal.device_type`*:: + -- This is the name of the log parser which parsed a given session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87245,7 +87651,7 @@ type: keyword -- -*`microsoft.rsa.internal.device_type_id`*:: +*`rsa.internal.device_type_id`*:: + -- Deprecated key defined only in table map. @@ -87254,7 +87660,7 @@ type: long -- -*`microsoft.rsa.internal.did`*:: +*`rsa.internal.did`*:: + -- This is the unique identifier used to identify a NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87263,7 +87669,7 @@ type: keyword -- -*`microsoft.rsa.internal.entropy_req`*:: +*`rsa.internal.entropy_req`*:: + -- This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration @@ -87272,7 +87678,7 @@ type: long -- -*`microsoft.rsa.internal.entropy_res`*:: +*`rsa.internal.entropy_res`*:: + -- This key is only used by the Entropy Parser, the Meta Type can be either UInt16 or Float32 based on the configuration @@ -87281,7 +87687,7 @@ type: long -- -*`microsoft.rsa.internal.event_name`*:: +*`rsa.internal.event_name`*:: + -- Deprecated key defined only in table map. @@ -87290,7 +87696,7 @@ type: keyword -- -*`microsoft.rsa.internal.feed_category`*:: +*`rsa.internal.feed_category`*:: + -- This is used to capture the category of the feed. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87299,7 +87705,7 @@ type: keyword -- -*`microsoft.rsa.internal.forward_ip`*:: +*`rsa.internal.forward_ip`*:: + -- This key should be used to capture the IPV4 address of a relay system which forwarded the events from the original system to NetWitness. @@ -87308,7 +87714,7 @@ type: ip -- -*`microsoft.rsa.internal.forward_ipv6`*:: +*`rsa.internal.forward_ipv6`*:: + -- This key is used to capture the IPV6 address of a relay system which forwarded the events from the original system to NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87317,7 +87723,7 @@ type: ip -- -*`microsoft.rsa.internal.header_id`*:: +*`rsa.internal.header_id`*:: + -- This is the Header ID value that identifies the exact log parser header definition that parses a particular log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87326,7 +87732,7 @@ type: keyword -- -*`microsoft.rsa.internal.lc_cid`*:: +*`rsa.internal.lc_cid`*:: + -- This is a unique Identifier of a Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87335,7 +87741,7 @@ type: keyword -- -*`microsoft.rsa.internal.lc_ctime`*:: +*`rsa.internal.lc_ctime`*:: + -- This is the time at which a log is collected in a NetWitness Log Collector. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87344,7 +87750,7 @@ type: date -- -*`microsoft.rsa.internal.mcb_req`*:: +*`rsa.internal.mcb_req`*:: + -- This key is only used by the Entropy Parser, the most common byte request is simply which byte for each side (0 thru 255) was seen the most @@ -87353,7 +87759,7 @@ type: long -- -*`microsoft.rsa.internal.mcb_res`*:: +*`rsa.internal.mcb_res`*:: + -- This key is only used by the Entropy Parser, the most common byte response is simply which byte for each side (0 thru 255) was seen the most @@ -87362,7 +87768,7 @@ type: long -- -*`microsoft.rsa.internal.mcbc_req`*:: +*`rsa.internal.mcbc_req`*:: + -- This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams @@ -87371,7 +87777,7 @@ type: long -- -*`microsoft.rsa.internal.mcbc_res`*:: +*`rsa.internal.mcbc_res`*:: + -- This key is only used by the Entropy Parser, the most common byte count is the number of times the most common byte (above) was seen in the session streams @@ -87380,7 +87786,7 @@ type: long -- -*`microsoft.rsa.internal.medium`*:: +*`rsa.internal.medium`*:: + -- This key is used to identify if it’s a log/packet session or Layer 2 Encapsulation Type. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness. 32 = log, 33 = correlation session, < 32 is packet session @@ -87389,7 +87795,7 @@ type: long -- -*`microsoft.rsa.internal.node_name`*:: +*`rsa.internal.node_name`*:: + -- Deprecated key defined only in table map. @@ -87398,7 +87804,7 @@ type: keyword -- -*`microsoft.rsa.internal.nwe_callback_id`*:: +*`rsa.internal.nwe_callback_id`*:: + -- This key denotes that event is endpoint related @@ -87407,7 +87813,7 @@ type: keyword -- -*`microsoft.rsa.internal.parse_error`*:: +*`rsa.internal.parse_error`*:: + -- This is a special key that stores any Meta key validation error found while parsing a log session. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87416,7 +87822,7 @@ type: keyword -- -*`microsoft.rsa.internal.payload_req`*:: +*`rsa.internal.payload_req`*:: + -- This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep @@ -87425,7 +87831,7 @@ type: long -- -*`microsoft.rsa.internal.payload_res`*:: +*`rsa.internal.payload_res`*:: + -- This key is only used by the Entropy Parser, the payload size metrics are the payload sizes of each session side at the time of parsing. However, in order to keep @@ -87434,7 +87840,7 @@ type: long -- -*`microsoft.rsa.internal.process_vid_dst`*:: +*`rsa.internal.process_vid_dst`*:: + -- Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the target process. @@ -87443,7 +87849,7 @@ type: keyword -- -*`microsoft.rsa.internal.process_vid_src`*:: +*`rsa.internal.process_vid_src`*:: + -- Endpoint generates and uses a unique virtual ID to identify any similar group of process. This ID represents the source process. @@ -87452,7 +87858,7 @@ type: keyword -- -*`microsoft.rsa.internal.rid`*:: +*`rsa.internal.rid`*:: + -- This is a special ID of the Remote Session created by NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87461,7 +87867,7 @@ type: long -- -*`microsoft.rsa.internal.session_split`*:: +*`rsa.internal.session_split`*:: + -- This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87470,7 +87876,7 @@ type: keyword -- -*`microsoft.rsa.internal.site`*:: +*`rsa.internal.site`*:: + -- Deprecated key defined only in table map. @@ -87479,7 +87885,7 @@ type: keyword -- -*`microsoft.rsa.internal.size`*:: +*`rsa.internal.size`*:: + -- This is the size of the session as seen by the NetWitness Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87488,7 +87894,7 @@ type: long -- -*`microsoft.rsa.internal.sourcefile`*:: +*`rsa.internal.sourcefile`*:: + -- This is the name of the log file or PCAPs that can be imported into NetWitness. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -87497,7 +87903,7 @@ type: keyword -- -*`microsoft.rsa.internal.ubc_req`*:: +*`rsa.internal.ubc_req`*:: + -- This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once @@ -87506,7 +87912,7 @@ type: long -- -*`microsoft.rsa.internal.ubc_res`*:: +*`rsa.internal.ubc_res`*:: + -- This key is only used by the Entropy Parser, Unique byte count is the number of unique bytes seen in each stream. 256 would mean all byte values of 0 thru 255 were seen at least once @@ -87515,7 +87921,7 @@ type: long -- -*`microsoft.rsa.internal.word`*:: +*`rsa.internal.word`*:: + -- This is used by the Word Parsing technology to capture the first 5 character of every word in an unparsed log @@ -87525,7 +87931,7 @@ type: keyword -- -*`microsoft.rsa.time.event_time`*:: +*`rsa.time.event_time`*:: + -- This key is used to capture the time mentioned in a raw session that represents the actual time an event occured in a standard normalized form @@ -87534,7 +87940,7 @@ type: date -- -*`microsoft.rsa.time.duration_time`*:: +*`rsa.time.duration_time`*:: + -- This key is used to capture the normalized duration/lifetime in seconds. @@ -87543,7 +87949,7 @@ type: double -- -*`microsoft.rsa.time.event_time_str`*:: +*`rsa.time.event_time_str`*:: + -- This key is used to capture the incomplete time mentioned in a session as a string @@ -87552,7 +87958,7 @@ type: keyword -- -*`microsoft.rsa.time.starttime`*:: +*`rsa.time.starttime`*:: + -- This key is used to capture the Start time mentioned in a session in a standard form @@ -87561,21 +87967,21 @@ type: date -- -*`microsoft.rsa.time.month`*:: +*`rsa.time.month`*:: + -- type: keyword -- -*`microsoft.rsa.time.day`*:: +*`rsa.time.day`*:: + -- type: keyword -- -*`microsoft.rsa.time.endtime`*:: +*`rsa.time.endtime`*:: + -- This key is used to capture the End time mentioned in a session in a standard form @@ -87584,7 +87990,7 @@ type: date -- -*`microsoft.rsa.time.timezone`*:: +*`rsa.time.timezone`*:: + -- This key is used to capture the timezone of the Event Time @@ -87593,7 +87999,7 @@ type: keyword -- -*`microsoft.rsa.time.duration_str`*:: +*`rsa.time.duration_str`*:: + -- A text string version of the duration @@ -87602,21 +88008,21 @@ type: keyword -- -*`microsoft.rsa.time.date`*:: +*`rsa.time.date`*:: + -- type: keyword -- -*`microsoft.rsa.time.year`*:: +*`rsa.time.year`*:: + -- type: keyword -- -*`microsoft.rsa.time.recorded_time`*:: +*`rsa.time.recorded_time`*:: + -- The event time as recorded by the system the event is collected from. The usage scenario is a multi-tier application where the management layer of the system records it's own timestamp at the time of collection from its child nodes. Must be in timestamp format. @@ -87625,14 +88031,14 @@ type: date -- -*`microsoft.rsa.time.datetime`*:: +*`rsa.time.datetime`*:: + -- type: keyword -- -*`microsoft.rsa.time.effective_time`*:: +*`rsa.time.effective_time`*:: + -- This key is the effective time referenced by an individual event in a Standard Timestamp format @@ -87641,7 +88047,7 @@ type: date -- -*`microsoft.rsa.time.expire_time`*:: +*`rsa.time.expire_time`*:: + -- This key is the timestamp that explicitly refers to an expiration. @@ -87650,7 +88056,7 @@ type: date -- -*`microsoft.rsa.time.process_time`*:: +*`rsa.time.process_time`*:: + -- Deprecated, use duration.time @@ -87659,28 +88065,28 @@ type: keyword -- -*`microsoft.rsa.time.hour`*:: +*`rsa.time.hour`*:: + -- type: keyword -- -*`microsoft.rsa.time.min`*:: +*`rsa.time.min`*:: + -- type: keyword -- -*`microsoft.rsa.time.timestamp`*:: +*`rsa.time.timestamp`*:: + -- type: keyword -- -*`microsoft.rsa.time.event_queue_time`*:: +*`rsa.time.event_queue_time`*:: + -- This key is the Time that the event was queued. @@ -87689,77 +88095,77 @@ type: date -- -*`microsoft.rsa.time.p_time1`*:: +*`rsa.time.p_time1`*:: + -- type: keyword -- -*`microsoft.rsa.time.tzone`*:: +*`rsa.time.tzone`*:: + -- type: keyword -- -*`microsoft.rsa.time.eventtime`*:: +*`rsa.time.eventtime`*:: + -- type: keyword -- -*`microsoft.rsa.time.gmtdate`*:: +*`rsa.time.gmtdate`*:: + -- type: keyword -- -*`microsoft.rsa.time.gmttime`*:: +*`rsa.time.gmttime`*:: + -- type: keyword -- -*`microsoft.rsa.time.p_date`*:: +*`rsa.time.p_date`*:: + -- type: keyword -- -*`microsoft.rsa.time.p_month`*:: +*`rsa.time.p_month`*:: + -- type: keyword -- -*`microsoft.rsa.time.p_time`*:: +*`rsa.time.p_time`*:: + -- type: keyword -- -*`microsoft.rsa.time.p_time2`*:: +*`rsa.time.p_time2`*:: + -- type: keyword -- -*`microsoft.rsa.time.p_year`*:: +*`rsa.time.p_year`*:: + -- type: keyword -- -*`microsoft.rsa.time.expire_time_str`*:: +*`rsa.time.expire_time_str`*:: + -- This key is used to capture incomplete timestamp that explicitly refers to an expiration. @@ -87768,7 +88174,7 @@ type: keyword -- -*`microsoft.rsa.time.stamp`*:: +*`rsa.time.stamp`*:: + -- Deprecated key defined only in table map. @@ -87778,14 +88184,14 @@ type: date -- -*`microsoft.rsa.misc.action`*:: +*`rsa.misc.action`*:: + -- type: keyword -- -*`microsoft.rsa.misc.result`*:: +*`rsa.misc.result`*:: + -- This key is used to capture the outcome/result string value of an action in a session. @@ -87794,7 +88200,7 @@ type: keyword -- -*`microsoft.rsa.misc.severity`*:: +*`rsa.misc.severity`*:: + -- This key is used to capture the severity given the session @@ -87803,7 +88209,7 @@ type: keyword -- -*`microsoft.rsa.misc.event_type`*:: +*`rsa.misc.event_type`*:: + -- This key captures the event category type as specified by the event source. @@ -87812,7 +88218,7 @@ type: keyword -- -*`microsoft.rsa.misc.reference_id`*:: +*`rsa.misc.reference_id`*:: + -- This key is used to capture an event id from the session directly @@ -87821,7 +88227,7 @@ type: keyword -- -*`microsoft.rsa.misc.version`*:: +*`rsa.misc.version`*:: + -- This key captures Version of the application or OS which is generating the event. @@ -87830,7 +88236,7 @@ type: keyword -- -*`microsoft.rsa.misc.disposition`*:: +*`rsa.misc.disposition`*:: + -- This key captures the The end state of an action. @@ -87839,7 +88245,7 @@ type: keyword -- -*`microsoft.rsa.misc.result_code`*:: +*`rsa.misc.result_code`*:: + -- This key is used to capture the outcome/result numeric value of an action in a session @@ -87848,7 +88254,7 @@ type: keyword -- -*`microsoft.rsa.misc.category`*:: +*`rsa.misc.category`*:: + -- This key is used to capture the category of an event given by the vendor in the session @@ -87857,7 +88263,7 @@ type: keyword -- -*`microsoft.rsa.misc.obj_name`*:: +*`rsa.misc.obj_name`*:: + -- This is used to capture name of object @@ -87866,7 +88272,7 @@ type: keyword -- -*`microsoft.rsa.misc.obj_type`*:: +*`rsa.misc.obj_type`*:: + -- This is used to capture type of object @@ -87875,7 +88281,7 @@ type: keyword -- -*`microsoft.rsa.misc.event_source`*:: +*`rsa.misc.event_source`*:: + -- This key captures Source of the event that’s not a hostname @@ -87884,7 +88290,7 @@ type: keyword -- -*`microsoft.rsa.misc.log_session_id`*:: +*`rsa.misc.log_session_id`*:: + -- This key is used to capture a sessionid from the session directly @@ -87893,7 +88299,7 @@ type: keyword -- -*`microsoft.rsa.misc.group`*:: +*`rsa.misc.group`*:: + -- This key captures the Group Name value @@ -87902,7 +88308,7 @@ type: keyword -- -*`microsoft.rsa.misc.policy_name`*:: +*`rsa.misc.policy_name`*:: + -- This key is used to capture the Policy Name only. @@ -87911,7 +88317,7 @@ type: keyword -- -*`microsoft.rsa.misc.rule_name`*:: +*`rsa.misc.rule_name`*:: + -- This key captures the Rule Name @@ -87920,7 +88326,7 @@ type: keyword -- -*`microsoft.rsa.misc.context`*:: +*`rsa.misc.context`*:: + -- This key captures Information which adds additional context to the event. @@ -87929,7 +88335,7 @@ type: keyword -- -*`microsoft.rsa.misc.change_new`*:: +*`rsa.misc.change_new`*:: + -- This key is used to capture the new values of the attribute that’s changing in a session @@ -87938,14 +88344,14 @@ type: keyword -- -*`microsoft.rsa.misc.space`*:: +*`rsa.misc.space`*:: + -- type: keyword -- -*`microsoft.rsa.misc.client`*:: +*`rsa.misc.client`*:: + -- This key is used to capture only the name of the client application requesting resources of the server. See the user.agent meta key for capture of the specific user agent identifier or browser identification string. @@ -87954,21 +88360,21 @@ type: keyword -- -*`microsoft.rsa.misc.msgIdPart1`*:: +*`rsa.misc.msgIdPart1`*:: + -- type: keyword -- -*`microsoft.rsa.misc.msgIdPart2`*:: +*`rsa.misc.msgIdPart2`*:: + -- type: keyword -- -*`microsoft.rsa.misc.change_old`*:: +*`rsa.misc.change_old`*:: + -- This key is used to capture the old value of the attribute that’s changing in a session @@ -87977,7 +88383,7 @@ type: keyword -- -*`microsoft.rsa.misc.operation_id`*:: +*`rsa.misc.operation_id`*:: + -- An alert number or operation number. The values should be unique and non-repeating. @@ -87986,7 +88392,7 @@ type: keyword -- -*`microsoft.rsa.misc.event_state`*:: +*`rsa.misc.event_state`*:: + -- This key captures the current state of the object/item referenced within the event. Describing an on-going event. @@ -87995,7 +88401,7 @@ type: keyword -- -*`microsoft.rsa.misc.group_object`*:: +*`rsa.misc.group_object`*:: + -- This key captures a collection/grouping of entities. Specific usage @@ -88004,7 +88410,7 @@ type: keyword -- -*`microsoft.rsa.misc.node`*:: +*`rsa.misc.node`*:: + -- Common use case is the node name within a cluster. The cluster name is reflected by the host name. @@ -88013,7 +88419,7 @@ type: keyword -- -*`microsoft.rsa.misc.rule`*:: +*`rsa.misc.rule`*:: + -- This key captures the Rule number @@ -88022,7 +88428,7 @@ type: keyword -- -*`microsoft.rsa.misc.device_name`*:: +*`rsa.misc.device_name`*:: + -- This is used to capture name of the Device associated with the node Like: a physical disk, printer, etc @@ -88031,7 +88437,7 @@ type: keyword -- -*`microsoft.rsa.misc.param`*:: +*`rsa.misc.param`*:: + -- This key is the parameters passed as part of a command or application, etc. @@ -88040,7 +88446,7 @@ type: keyword -- -*`microsoft.rsa.misc.change_attrib`*:: +*`rsa.misc.change_attrib`*:: + -- This key is used to capture the name of the attribute that’s changing in a session @@ -88049,7 +88455,7 @@ type: keyword -- -*`microsoft.rsa.misc.event_computer`*:: +*`rsa.misc.event_computer`*:: + -- This key is a windows only concept, where this key is used to capture fully qualified domain name in a windows log. @@ -88058,7 +88464,7 @@ type: keyword -- -*`microsoft.rsa.misc.reference_id1`*:: +*`rsa.misc.reference_id1`*:: + -- This key is for Linked ID to be used as an addition to "reference.id" @@ -88067,7 +88473,7 @@ type: keyword -- -*`microsoft.rsa.misc.event_log`*:: +*`rsa.misc.event_log`*:: + -- This key captures the Name of the event log @@ -88076,7 +88482,7 @@ type: keyword -- -*`microsoft.rsa.misc.OS`*:: +*`rsa.misc.OS`*:: + -- This key captures the Name of the Operating System @@ -88085,7 +88491,7 @@ type: keyword -- -*`microsoft.rsa.misc.terminal`*:: +*`rsa.misc.terminal`*:: + -- This key captures the Terminal Names only @@ -88094,14 +88500,14 @@ type: keyword -- -*`microsoft.rsa.misc.msgIdPart3`*:: +*`rsa.misc.msgIdPart3`*:: + -- type: keyword -- -*`microsoft.rsa.misc.filter`*:: +*`rsa.misc.filter`*:: + -- This key captures Filter used to reduce result set @@ -88110,7 +88516,7 @@ type: keyword -- -*`microsoft.rsa.misc.serial_number`*:: +*`rsa.misc.serial_number`*:: + -- This key is the Serial number associated with a physical asset. @@ -88119,7 +88525,7 @@ type: keyword -- -*`microsoft.rsa.misc.checksum`*:: +*`rsa.misc.checksum`*:: + -- This key is used to capture the checksum or hash of the entity such as a file or process. Checksum should be used over checksum.src or checksum.dst when it is unclear whether the entity is a source or target of an action. @@ -88128,7 +88534,7 @@ type: keyword -- -*`microsoft.rsa.misc.event_user`*:: +*`rsa.misc.event_user`*:: + -- This key is a windows only concept, where this key is used to capture combination of domain name and username in a windows log. @@ -88137,7 +88543,7 @@ type: keyword -- -*`microsoft.rsa.misc.virusname`*:: +*`rsa.misc.virusname`*:: + -- This key captures the name of the virus @@ -88146,7 +88552,7 @@ type: keyword -- -*`microsoft.rsa.misc.content_type`*:: +*`rsa.misc.content_type`*:: + -- This key is used to capture Content Type only. @@ -88155,7 +88561,7 @@ type: keyword -- -*`microsoft.rsa.misc.group_id`*:: +*`rsa.misc.group_id`*:: + -- This key captures Group ID Number (related to the group name) @@ -88164,7 +88570,7 @@ type: keyword -- -*`microsoft.rsa.misc.policy_id`*:: +*`rsa.misc.policy_id`*:: + -- This key is used to capture the Policy ID only, this should be a numeric value, use policy.name otherwise @@ -88173,7 +88579,7 @@ type: keyword -- -*`microsoft.rsa.misc.vsys`*:: +*`rsa.misc.vsys`*:: + -- This key captures Virtual System Name @@ -88182,7 +88588,7 @@ type: keyword -- -*`microsoft.rsa.misc.connection_id`*:: +*`rsa.misc.connection_id`*:: + -- This key captures the Connection ID @@ -88191,7 +88597,7 @@ type: keyword -- -*`microsoft.rsa.misc.reference_id2`*:: +*`rsa.misc.reference_id2`*:: + -- This key is for the 2nd Linked ID. Can be either linked to "reference.id" or "reference.id1" value but should not be used unless the other two variables are in play. @@ -88200,7 +88606,7 @@ type: keyword -- -*`microsoft.rsa.misc.sensor`*:: +*`rsa.misc.sensor`*:: + -- This key captures Name of the sensor. Typically used in IDS/IPS based devices @@ -88209,7 +88615,7 @@ type: keyword -- -*`microsoft.rsa.misc.sig_id`*:: +*`rsa.misc.sig_id`*:: + -- This key captures IDS/IPS Int Signature ID @@ -88218,7 +88624,7 @@ type: long -- -*`microsoft.rsa.misc.port_name`*:: +*`rsa.misc.port_name`*:: + -- This key is used for Physical or logical port connection but does NOT include a network port. (Example: Printer port name). @@ -88227,7 +88633,7 @@ type: keyword -- -*`microsoft.rsa.misc.rule_group`*:: +*`rsa.misc.rule_group`*:: + -- This key captures the Rule group name @@ -88236,7 +88642,7 @@ type: keyword -- -*`microsoft.rsa.misc.risk_num`*:: +*`rsa.misc.risk_num`*:: + -- This key captures a Numeric Risk value @@ -88245,7 +88651,7 @@ type: double -- -*`microsoft.rsa.misc.trigger_val`*:: +*`rsa.misc.trigger_val`*:: + -- This key captures the Value of the trigger or threshold condition. @@ -88254,7 +88660,7 @@ type: keyword -- -*`microsoft.rsa.misc.log_session_id1`*:: +*`rsa.misc.log_session_id1`*:: + -- This key is used to capture a Linked (Related) Session ID from the session directly @@ -88263,7 +88669,7 @@ type: keyword -- -*`microsoft.rsa.misc.comp_version`*:: +*`rsa.misc.comp_version`*:: + -- This key captures the Version level of a sub-component of a product. @@ -88272,7 +88678,7 @@ type: keyword -- -*`microsoft.rsa.misc.content_version`*:: +*`rsa.misc.content_version`*:: + -- This key captures Version level of a signature or database content. @@ -88281,7 +88687,7 @@ type: keyword -- -*`microsoft.rsa.misc.hardware_id`*:: +*`rsa.misc.hardware_id`*:: + -- This key is used to capture unique identifier for a device or system (NOT a Mac address) @@ -88290,7 +88696,7 @@ type: keyword -- -*`microsoft.rsa.misc.risk`*:: +*`rsa.misc.risk`*:: + -- This key captures the non-numeric risk value @@ -88299,28 +88705,28 @@ type: keyword -- -*`microsoft.rsa.misc.event_id`*:: +*`rsa.misc.event_id`*:: + -- type: keyword -- -*`microsoft.rsa.misc.reason`*:: +*`rsa.misc.reason`*:: + -- type: keyword -- -*`microsoft.rsa.misc.status`*:: +*`rsa.misc.status`*:: + -- type: keyword -- -*`microsoft.rsa.misc.mail_id`*:: +*`rsa.misc.mail_id`*:: + -- This key is used to capture the mailbox id/name @@ -88329,7 +88735,7 @@ type: keyword -- -*`microsoft.rsa.misc.rule_uid`*:: +*`rsa.misc.rule_uid`*:: + -- This key is the Unique Identifier for a rule. @@ -88338,7 +88744,7 @@ type: keyword -- -*`microsoft.rsa.misc.trigger_desc`*:: +*`rsa.misc.trigger_desc`*:: + -- This key captures the Description of the trigger or threshold condition. @@ -88347,35 +88753,35 @@ type: keyword -- -*`microsoft.rsa.misc.inout`*:: +*`rsa.misc.inout`*:: + -- type: keyword -- -*`microsoft.rsa.misc.p_msgid`*:: +*`rsa.misc.p_msgid`*:: + -- type: keyword -- -*`microsoft.rsa.misc.data_type`*:: +*`rsa.misc.data_type`*:: + -- type: keyword -- -*`microsoft.rsa.misc.msgIdPart4`*:: +*`rsa.misc.msgIdPart4`*:: + -- type: keyword -- -*`microsoft.rsa.misc.error`*:: +*`rsa.misc.error`*:: + -- This key captures All non successful Error codes or responses @@ -88384,14 +88790,14 @@ type: keyword -- -*`microsoft.rsa.misc.index`*:: +*`rsa.misc.index`*:: + -- type: keyword -- -*`microsoft.rsa.misc.listnum`*:: +*`rsa.misc.listnum`*:: + -- This key is used to capture listname or listnumber, primarily for collecting access-list @@ -88400,14 +88806,14 @@ type: keyword -- -*`microsoft.rsa.misc.ntype`*:: +*`rsa.misc.ntype`*:: + -- type: keyword -- -*`microsoft.rsa.misc.observed_val`*:: +*`rsa.misc.observed_val`*:: + -- This key captures the Value observed (from the perspective of the device generating the log). @@ -88416,7 +88822,7 @@ type: keyword -- -*`microsoft.rsa.misc.policy_value`*:: +*`rsa.misc.policy_value`*:: + -- This key captures the contents of the policy. This contains details about the policy @@ -88425,7 +88831,7 @@ type: keyword -- -*`microsoft.rsa.misc.pool_name`*:: +*`rsa.misc.pool_name`*:: + -- This key captures the name of a resource pool @@ -88434,7 +88840,7 @@ type: keyword -- -*`microsoft.rsa.misc.rule_template`*:: +*`rsa.misc.rule_template`*:: + -- A default set of parameters which are overlayed onto a rule (or rulename) which efffectively constitutes a template @@ -88443,35 +88849,35 @@ type: keyword -- -*`microsoft.rsa.misc.count`*:: +*`rsa.misc.count`*:: + -- type: keyword -- -*`microsoft.rsa.misc.number`*:: +*`rsa.misc.number`*:: + -- type: keyword -- -*`microsoft.rsa.misc.sigcat`*:: +*`rsa.misc.sigcat`*:: + -- type: keyword -- -*`microsoft.rsa.misc.type`*:: +*`rsa.misc.type`*:: + -- type: keyword -- -*`microsoft.rsa.misc.comments`*:: +*`rsa.misc.comments`*:: + -- Comment information provided in the log message @@ -88480,7 +88886,7 @@ type: keyword -- -*`microsoft.rsa.misc.doc_number`*:: +*`rsa.misc.doc_number`*:: + -- This key captures File Identification number @@ -88489,7 +88895,7 @@ type: long -- -*`microsoft.rsa.misc.expected_val`*:: +*`rsa.misc.expected_val`*:: + -- This key captures the Value expected (from the perspective of the device generating the log). @@ -88498,7 +88904,7 @@ type: keyword -- -*`microsoft.rsa.misc.job_num`*:: +*`rsa.misc.job_num`*:: + -- This key captures the Job Number @@ -88507,7 +88913,7 @@ type: keyword -- -*`microsoft.rsa.misc.spi_dst`*:: +*`rsa.misc.spi_dst`*:: + -- Destination SPI Index @@ -88516,7 +88922,7 @@ type: keyword -- -*`microsoft.rsa.misc.spi_src`*:: +*`rsa.misc.spi_src`*:: + -- Source SPI Index @@ -88525,14 +88931,14 @@ type: keyword -- -*`microsoft.rsa.misc.code`*:: +*`rsa.misc.code`*:: + -- type: keyword -- -*`microsoft.rsa.misc.agent_id`*:: +*`rsa.misc.agent_id`*:: + -- This key is used to capture agent id @@ -88541,7 +88947,7 @@ type: keyword -- -*`microsoft.rsa.misc.message_body`*:: +*`rsa.misc.message_body`*:: + -- This key captures the The contents of the message body. @@ -88550,14 +88956,14 @@ type: keyword -- -*`microsoft.rsa.misc.phone`*:: +*`rsa.misc.phone`*:: + -- type: keyword -- -*`microsoft.rsa.misc.sig_id_str`*:: +*`rsa.misc.sig_id_str`*:: + -- This key captures a string object of the sigid variable. @@ -88566,28 +88972,28 @@ type: keyword -- -*`microsoft.rsa.misc.cmd`*:: +*`rsa.misc.cmd`*:: + -- type: keyword -- -*`microsoft.rsa.misc.misc`*:: +*`rsa.misc.misc`*:: + -- type: keyword -- -*`microsoft.rsa.misc.name`*:: +*`rsa.misc.name`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cpu`*:: +*`rsa.misc.cpu`*:: + -- This key is the CPU time used in the execution of the event being recorded. @@ -88596,7 +89002,7 @@ type: long -- -*`microsoft.rsa.misc.event_desc`*:: +*`rsa.misc.event_desc`*:: + -- This key is used to capture a description of an event available directly or inferred @@ -88605,7 +89011,7 @@ type: keyword -- -*`microsoft.rsa.misc.sig_id1`*:: +*`rsa.misc.sig_id1`*:: + -- This key captures IDS/IPS Int Signature ID. This must be linked to the sig.id @@ -88614,42 +89020,42 @@ type: long -- -*`microsoft.rsa.misc.im_buddyid`*:: +*`rsa.misc.im_buddyid`*:: + -- type: keyword -- -*`microsoft.rsa.misc.im_client`*:: +*`rsa.misc.im_client`*:: + -- type: keyword -- -*`microsoft.rsa.misc.im_userid`*:: +*`rsa.misc.im_userid`*:: + -- type: keyword -- -*`microsoft.rsa.misc.pid`*:: +*`rsa.misc.pid`*:: + -- type: keyword -- -*`microsoft.rsa.misc.priority`*:: +*`rsa.misc.priority`*:: + -- type: keyword -- -*`microsoft.rsa.misc.context_subject`*:: +*`rsa.misc.context_subject`*:: + -- This key is to be used in an audit context where the subject is the object being identified @@ -88658,14 +89064,14 @@ type: keyword -- -*`microsoft.rsa.misc.context_target`*:: +*`rsa.misc.context_target`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cve`*:: +*`rsa.misc.cve`*:: + -- This key captures CVE (Common Vulnerabilities and Exposures) - an identifier for known information security vulnerabilities. @@ -88674,7 +89080,7 @@ type: keyword -- -*`microsoft.rsa.misc.fcatnum`*:: +*`rsa.misc.fcatnum`*:: + -- This key captures Filter Category Number. Legacy Usage @@ -88683,7 +89089,7 @@ type: keyword -- -*`microsoft.rsa.misc.library`*:: +*`rsa.misc.library`*:: + -- This key is used to capture library information in mainframe devices @@ -88692,7 +89098,7 @@ type: keyword -- -*`microsoft.rsa.misc.parent_node`*:: +*`rsa.misc.parent_node`*:: + -- This key captures the Parent Node Name. Must be related to node variable. @@ -88701,7 +89107,7 @@ type: keyword -- -*`microsoft.rsa.misc.risk_info`*:: +*`rsa.misc.risk_info`*:: + -- Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -88710,7 +89116,7 @@ type: keyword -- -*`microsoft.rsa.misc.tcp_flags`*:: +*`rsa.misc.tcp_flags`*:: + -- This key is captures the TCP flags set in any packet of session @@ -88719,7 +89125,7 @@ type: long -- -*`microsoft.rsa.misc.tos`*:: +*`rsa.misc.tos`*:: + -- This key describes the type of service @@ -88728,7 +89134,7 @@ type: long -- -*`microsoft.rsa.misc.vm_target`*:: +*`rsa.misc.vm_target`*:: + -- VMWare Target **VMWARE** only varaible. @@ -88737,7 +89143,7 @@ type: keyword -- -*`microsoft.rsa.misc.workspace`*:: +*`rsa.misc.workspace`*:: + -- This key captures Workspace Description @@ -88746,91 +89152,91 @@ type: keyword -- -*`microsoft.rsa.misc.command`*:: +*`rsa.misc.command`*:: + -- type: keyword -- -*`microsoft.rsa.misc.event_category`*:: +*`rsa.misc.event_category`*:: + -- type: keyword -- -*`microsoft.rsa.misc.facilityname`*:: +*`rsa.misc.facilityname`*:: + -- type: keyword -- -*`microsoft.rsa.misc.forensic_info`*:: +*`rsa.misc.forensic_info`*:: + -- type: keyword -- -*`microsoft.rsa.misc.jobname`*:: +*`rsa.misc.jobname`*:: + -- type: keyword -- -*`microsoft.rsa.misc.mode`*:: +*`rsa.misc.mode`*:: + -- type: keyword -- -*`microsoft.rsa.misc.policy`*:: +*`rsa.misc.policy`*:: + -- type: keyword -- -*`microsoft.rsa.misc.policy_waiver`*:: +*`rsa.misc.policy_waiver`*:: + -- type: keyword -- -*`microsoft.rsa.misc.second`*:: +*`rsa.misc.second`*:: + -- type: keyword -- -*`microsoft.rsa.misc.space1`*:: +*`rsa.misc.space1`*:: + -- type: keyword -- -*`microsoft.rsa.misc.subcategory`*:: +*`rsa.misc.subcategory`*:: + -- type: keyword -- -*`microsoft.rsa.misc.tbdstr2`*:: +*`rsa.misc.tbdstr2`*:: + -- type: keyword -- -*`microsoft.rsa.misc.alert_id`*:: +*`rsa.misc.alert_id`*:: + -- Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -88839,7 +89245,7 @@ type: keyword -- -*`microsoft.rsa.misc.checksum_dst`*:: +*`rsa.misc.checksum_dst`*:: + -- This key is used to capture the checksum or hash of the the target entity such as a process or file. @@ -88848,7 +89254,7 @@ type: keyword -- -*`microsoft.rsa.misc.checksum_src`*:: +*`rsa.misc.checksum_src`*:: + -- This key is used to capture the checksum or hash of the source entity such as a file or process. @@ -88857,7 +89263,7 @@ type: keyword -- -*`microsoft.rsa.misc.fresult`*:: +*`rsa.misc.fresult`*:: + -- This key captures the Filter Result @@ -88866,7 +89272,7 @@ type: long -- -*`microsoft.rsa.misc.payload_dst`*:: +*`rsa.misc.payload_dst`*:: + -- This key is used to capture destination payload @@ -88875,7 +89281,7 @@ type: keyword -- -*`microsoft.rsa.misc.payload_src`*:: +*`rsa.misc.payload_src`*:: + -- This key is used to capture source payload @@ -88884,7 +89290,7 @@ type: keyword -- -*`microsoft.rsa.misc.pool_id`*:: +*`rsa.misc.pool_id`*:: + -- This key captures the identifier (typically numeric field) of a resource pool @@ -88893,7 +89299,7 @@ type: keyword -- -*`microsoft.rsa.misc.process_id_val`*:: +*`rsa.misc.process_id_val`*:: + -- This key is a failure key for Process ID when it is not an integer value @@ -88902,7 +89308,7 @@ type: keyword -- -*`microsoft.rsa.misc.risk_num_comm`*:: +*`rsa.misc.risk_num_comm`*:: + -- This key captures Risk Number Community @@ -88911,7 +89317,7 @@ type: double -- -*`microsoft.rsa.misc.risk_num_next`*:: +*`rsa.misc.risk_num_next`*:: + -- This key captures Risk Number NextGen @@ -88920,7 +89326,7 @@ type: double -- -*`microsoft.rsa.misc.risk_num_sand`*:: +*`rsa.misc.risk_num_sand`*:: + -- This key captures Risk Number SandBox @@ -88929,7 +89335,7 @@ type: double -- -*`microsoft.rsa.misc.risk_num_static`*:: +*`rsa.misc.risk_num_static`*:: + -- This key captures Risk Number Static @@ -88938,7 +89344,7 @@ type: double -- -*`microsoft.rsa.misc.risk_suspicious`*:: +*`rsa.misc.risk_suspicious`*:: + -- Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -88947,7 +89353,7 @@ type: keyword -- -*`microsoft.rsa.misc.risk_warning`*:: +*`rsa.misc.risk_warning`*:: + -- Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) @@ -88956,7 +89362,7 @@ type: keyword -- -*`microsoft.rsa.misc.snmp_oid`*:: +*`rsa.misc.snmp_oid`*:: + -- SNMP Object Identifier @@ -88965,7 +89371,7 @@ type: keyword -- -*`microsoft.rsa.misc.sql`*:: +*`rsa.misc.sql`*:: + -- This key captures the SQL query @@ -88974,7 +89380,7 @@ type: keyword -- -*`microsoft.rsa.misc.vuln_ref`*:: +*`rsa.misc.vuln_ref`*:: + -- This key captures the Vulnerability Reference details @@ -88983,1547 +89389,1547 @@ type: keyword -- -*`microsoft.rsa.misc.acl_id`*:: +*`rsa.misc.acl_id`*:: + -- type: keyword -- -*`microsoft.rsa.misc.acl_op`*:: +*`rsa.misc.acl_op`*:: + -- type: keyword -- -*`microsoft.rsa.misc.acl_pos`*:: +*`rsa.misc.acl_pos`*:: + -- type: keyword -- -*`microsoft.rsa.misc.acl_table`*:: +*`rsa.misc.acl_table`*:: + -- type: keyword -- -*`microsoft.rsa.misc.admin`*:: +*`rsa.misc.admin`*:: + -- type: keyword -- -*`microsoft.rsa.misc.alarm_id`*:: +*`rsa.misc.alarm_id`*:: + -- type: keyword -- -*`microsoft.rsa.misc.alarmname`*:: +*`rsa.misc.alarmname`*:: + -- type: keyword -- -*`microsoft.rsa.misc.app_id`*:: +*`rsa.misc.app_id`*:: + -- type: keyword -- -*`microsoft.rsa.misc.audit`*:: +*`rsa.misc.audit`*:: + -- type: keyword -- -*`microsoft.rsa.misc.audit_object`*:: +*`rsa.misc.audit_object`*:: + -- type: keyword -- -*`microsoft.rsa.misc.auditdata`*:: +*`rsa.misc.auditdata`*:: + -- type: keyword -- -*`microsoft.rsa.misc.benchmark`*:: +*`rsa.misc.benchmark`*:: + -- type: keyword -- -*`microsoft.rsa.misc.bypass`*:: +*`rsa.misc.bypass`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cache`*:: +*`rsa.misc.cache`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cache_hit`*:: +*`rsa.misc.cache_hit`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cefversion`*:: +*`rsa.misc.cefversion`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cfg_attr`*:: +*`rsa.misc.cfg_attr`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cfg_obj`*:: +*`rsa.misc.cfg_obj`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cfg_path`*:: +*`rsa.misc.cfg_path`*:: + -- type: keyword -- -*`microsoft.rsa.misc.changes`*:: +*`rsa.misc.changes`*:: + -- type: keyword -- -*`microsoft.rsa.misc.client_ip`*:: +*`rsa.misc.client_ip`*:: + -- type: keyword -- -*`microsoft.rsa.misc.clustermembers`*:: +*`rsa.misc.clustermembers`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_acttimeout`*:: +*`rsa.misc.cn_acttimeout`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_asn_src`*:: +*`rsa.misc.cn_asn_src`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_bgpv4nxthop`*:: +*`rsa.misc.cn_bgpv4nxthop`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_ctr_dst_code`*:: +*`rsa.misc.cn_ctr_dst_code`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_dst_tos`*:: +*`rsa.misc.cn_dst_tos`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_dst_vlan`*:: +*`rsa.misc.cn_dst_vlan`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_engine_id`*:: +*`rsa.misc.cn_engine_id`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_engine_type`*:: +*`rsa.misc.cn_engine_type`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_f_switch`*:: +*`rsa.misc.cn_f_switch`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_flowsampid`*:: +*`rsa.misc.cn_flowsampid`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_flowsampintv`*:: +*`rsa.misc.cn_flowsampintv`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_flowsampmode`*:: +*`rsa.misc.cn_flowsampmode`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_inacttimeout`*:: +*`rsa.misc.cn_inacttimeout`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_inpermbyts`*:: +*`rsa.misc.cn_inpermbyts`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_inpermpckts`*:: +*`rsa.misc.cn_inpermpckts`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_invalid`*:: +*`rsa.misc.cn_invalid`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_ip_proto_ver`*:: +*`rsa.misc.cn_ip_proto_ver`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_ipv4_ident`*:: +*`rsa.misc.cn_ipv4_ident`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_l_switch`*:: +*`rsa.misc.cn_l_switch`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_log_did`*:: +*`rsa.misc.cn_log_did`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_log_rid`*:: +*`rsa.misc.cn_log_rid`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_max_ttl`*:: +*`rsa.misc.cn_max_ttl`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_maxpcktlen`*:: +*`rsa.misc.cn_maxpcktlen`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_min_ttl`*:: +*`rsa.misc.cn_min_ttl`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_minpcktlen`*:: +*`rsa.misc.cn_minpcktlen`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_mpls_lbl_1`*:: +*`rsa.misc.cn_mpls_lbl_1`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_mpls_lbl_10`*:: +*`rsa.misc.cn_mpls_lbl_10`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_mpls_lbl_2`*:: +*`rsa.misc.cn_mpls_lbl_2`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_mpls_lbl_3`*:: +*`rsa.misc.cn_mpls_lbl_3`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_mpls_lbl_4`*:: +*`rsa.misc.cn_mpls_lbl_4`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_mpls_lbl_5`*:: +*`rsa.misc.cn_mpls_lbl_5`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_mpls_lbl_6`*:: +*`rsa.misc.cn_mpls_lbl_6`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_mpls_lbl_7`*:: +*`rsa.misc.cn_mpls_lbl_7`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_mpls_lbl_8`*:: +*`rsa.misc.cn_mpls_lbl_8`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_mpls_lbl_9`*:: +*`rsa.misc.cn_mpls_lbl_9`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_mplstoplabel`*:: +*`rsa.misc.cn_mplstoplabel`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_mplstoplabip`*:: +*`rsa.misc.cn_mplstoplabip`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_mul_dst_byt`*:: +*`rsa.misc.cn_mul_dst_byt`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_mul_dst_pks`*:: +*`rsa.misc.cn_mul_dst_pks`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_muligmptype`*:: +*`rsa.misc.cn_muligmptype`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_sampalgo`*:: +*`rsa.misc.cn_sampalgo`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_sampint`*:: +*`rsa.misc.cn_sampint`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_seqctr`*:: +*`rsa.misc.cn_seqctr`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_spackets`*:: +*`rsa.misc.cn_spackets`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_src_tos`*:: +*`rsa.misc.cn_src_tos`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_src_vlan`*:: +*`rsa.misc.cn_src_vlan`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_sysuptime`*:: +*`rsa.misc.cn_sysuptime`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_template_id`*:: +*`rsa.misc.cn_template_id`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_totbytsexp`*:: +*`rsa.misc.cn_totbytsexp`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_totflowexp`*:: +*`rsa.misc.cn_totflowexp`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_totpcktsexp`*:: +*`rsa.misc.cn_totpcktsexp`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_unixnanosecs`*:: +*`rsa.misc.cn_unixnanosecs`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_v6flowlabel`*:: +*`rsa.misc.cn_v6flowlabel`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cn_v6optheaders`*:: +*`rsa.misc.cn_v6optheaders`*:: + -- type: keyword -- -*`microsoft.rsa.misc.comp_class`*:: +*`rsa.misc.comp_class`*:: + -- type: keyword -- -*`microsoft.rsa.misc.comp_name`*:: +*`rsa.misc.comp_name`*:: + -- type: keyword -- -*`microsoft.rsa.misc.comp_rbytes`*:: +*`rsa.misc.comp_rbytes`*:: + -- type: keyword -- -*`microsoft.rsa.misc.comp_sbytes`*:: +*`rsa.misc.comp_sbytes`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cpu_data`*:: +*`rsa.misc.cpu_data`*:: + -- type: keyword -- -*`microsoft.rsa.misc.criticality`*:: +*`rsa.misc.criticality`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_agency_dst`*:: +*`rsa.misc.cs_agency_dst`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_analyzedby`*:: +*`rsa.misc.cs_analyzedby`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_av_other`*:: +*`rsa.misc.cs_av_other`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_av_primary`*:: +*`rsa.misc.cs_av_primary`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_av_secondary`*:: +*`rsa.misc.cs_av_secondary`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_bgpv6nxthop`*:: +*`rsa.misc.cs_bgpv6nxthop`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_bit9status`*:: +*`rsa.misc.cs_bit9status`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_context`*:: +*`rsa.misc.cs_context`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_control`*:: +*`rsa.misc.cs_control`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_data`*:: +*`rsa.misc.cs_data`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_datecret`*:: +*`rsa.misc.cs_datecret`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_dst_tld`*:: +*`rsa.misc.cs_dst_tld`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_eth_dst_ven`*:: +*`rsa.misc.cs_eth_dst_ven`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_eth_src_ven`*:: +*`rsa.misc.cs_eth_src_ven`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_event_uuid`*:: +*`rsa.misc.cs_event_uuid`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_filetype`*:: +*`rsa.misc.cs_filetype`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_fld`*:: +*`rsa.misc.cs_fld`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_if_desc`*:: +*`rsa.misc.cs_if_desc`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_if_name`*:: +*`rsa.misc.cs_if_name`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_ip_next_hop`*:: +*`rsa.misc.cs_ip_next_hop`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_ipv4dstpre`*:: +*`rsa.misc.cs_ipv4dstpre`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_ipv4srcpre`*:: +*`rsa.misc.cs_ipv4srcpre`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_lifetime`*:: +*`rsa.misc.cs_lifetime`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_log_medium`*:: +*`rsa.misc.cs_log_medium`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_loginname`*:: +*`rsa.misc.cs_loginname`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_modulescore`*:: +*`rsa.misc.cs_modulescore`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_modulesign`*:: +*`rsa.misc.cs_modulesign`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_opswatresult`*:: +*`rsa.misc.cs_opswatresult`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_payload`*:: +*`rsa.misc.cs_payload`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_registrant`*:: +*`rsa.misc.cs_registrant`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_registrar`*:: +*`rsa.misc.cs_registrar`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_represult`*:: +*`rsa.misc.cs_represult`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_rpayload`*:: +*`rsa.misc.cs_rpayload`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_sampler_name`*:: +*`rsa.misc.cs_sampler_name`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_sourcemodule`*:: +*`rsa.misc.cs_sourcemodule`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_streams`*:: +*`rsa.misc.cs_streams`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_targetmodule`*:: +*`rsa.misc.cs_targetmodule`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_v6nxthop`*:: +*`rsa.misc.cs_v6nxthop`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_whois_server`*:: +*`rsa.misc.cs_whois_server`*:: + -- type: keyword -- -*`microsoft.rsa.misc.cs_yararesult`*:: +*`rsa.misc.cs_yararesult`*:: + -- type: keyword -- -*`microsoft.rsa.misc.description`*:: +*`rsa.misc.description`*:: + -- type: keyword -- -*`microsoft.rsa.misc.devvendor`*:: +*`rsa.misc.devvendor`*:: + -- type: keyword -- -*`microsoft.rsa.misc.distance`*:: +*`rsa.misc.distance`*:: + -- type: keyword -- -*`microsoft.rsa.misc.dstburb`*:: +*`rsa.misc.dstburb`*:: + -- type: keyword -- -*`microsoft.rsa.misc.edomain`*:: +*`rsa.misc.edomain`*:: + -- type: keyword -- -*`microsoft.rsa.misc.edomaub`*:: +*`rsa.misc.edomaub`*:: + -- type: keyword -- -*`microsoft.rsa.misc.euid`*:: +*`rsa.misc.euid`*:: + -- type: keyword -- -*`microsoft.rsa.misc.facility`*:: +*`rsa.misc.facility`*:: + -- type: keyword -- -*`microsoft.rsa.misc.finterface`*:: +*`rsa.misc.finterface`*:: + -- type: keyword -- -*`microsoft.rsa.misc.flags`*:: +*`rsa.misc.flags`*:: + -- type: keyword -- -*`microsoft.rsa.misc.gaddr`*:: +*`rsa.misc.gaddr`*:: + -- type: keyword -- -*`microsoft.rsa.misc.id3`*:: +*`rsa.misc.id3`*:: + -- type: keyword -- -*`microsoft.rsa.misc.im_buddyname`*:: +*`rsa.misc.im_buddyname`*:: + -- type: keyword -- -*`microsoft.rsa.misc.im_croomid`*:: +*`rsa.misc.im_croomid`*:: + -- type: keyword -- -*`microsoft.rsa.misc.im_croomtype`*:: +*`rsa.misc.im_croomtype`*:: + -- type: keyword -- -*`microsoft.rsa.misc.im_members`*:: +*`rsa.misc.im_members`*:: + -- type: keyword -- -*`microsoft.rsa.misc.im_username`*:: +*`rsa.misc.im_username`*:: + -- type: keyword -- -*`microsoft.rsa.misc.ipkt`*:: +*`rsa.misc.ipkt`*:: + -- type: keyword -- -*`microsoft.rsa.misc.ipscat`*:: +*`rsa.misc.ipscat`*:: + -- type: keyword -- -*`microsoft.rsa.misc.ipspri`*:: +*`rsa.misc.ipspri`*:: + -- type: keyword -- -*`microsoft.rsa.misc.latitude`*:: +*`rsa.misc.latitude`*:: + -- type: keyword -- -*`microsoft.rsa.misc.linenum`*:: +*`rsa.misc.linenum`*:: + -- type: keyword -- -*`microsoft.rsa.misc.list_name`*:: +*`rsa.misc.list_name`*:: + -- type: keyword -- -*`microsoft.rsa.misc.load_data`*:: +*`rsa.misc.load_data`*:: + -- type: keyword -- -*`microsoft.rsa.misc.location_floor`*:: +*`rsa.misc.location_floor`*:: + -- type: keyword -- -*`microsoft.rsa.misc.location_mark`*:: +*`rsa.misc.location_mark`*:: + -- type: keyword -- -*`microsoft.rsa.misc.log_id`*:: +*`rsa.misc.log_id`*:: + -- type: keyword -- -*`microsoft.rsa.misc.log_type`*:: +*`rsa.misc.log_type`*:: + -- type: keyword -- -*`microsoft.rsa.misc.logid`*:: +*`rsa.misc.logid`*:: + -- type: keyword -- -*`microsoft.rsa.misc.logip`*:: +*`rsa.misc.logip`*:: + -- type: keyword -- -*`microsoft.rsa.misc.logname`*:: +*`rsa.misc.logname`*:: + -- type: keyword -- -*`microsoft.rsa.misc.longitude`*:: +*`rsa.misc.longitude`*:: + -- type: keyword -- -*`microsoft.rsa.misc.lport`*:: +*`rsa.misc.lport`*:: + -- type: keyword -- -*`microsoft.rsa.misc.mbug_data`*:: +*`rsa.misc.mbug_data`*:: + -- type: keyword -- -*`microsoft.rsa.misc.misc_name`*:: +*`rsa.misc.misc_name`*:: + -- type: keyword -- -*`microsoft.rsa.misc.msg_type`*:: +*`rsa.misc.msg_type`*:: + -- type: keyword -- -*`microsoft.rsa.misc.msgid`*:: +*`rsa.misc.msgid`*:: + -- type: keyword -- -*`microsoft.rsa.misc.netsessid`*:: +*`rsa.misc.netsessid`*:: + -- type: keyword -- -*`microsoft.rsa.misc.num`*:: +*`rsa.misc.num`*:: + -- type: keyword -- -*`microsoft.rsa.misc.number1`*:: +*`rsa.misc.number1`*:: + -- type: keyword -- -*`microsoft.rsa.misc.number2`*:: +*`rsa.misc.number2`*:: + -- type: keyword -- -*`microsoft.rsa.misc.nwwn`*:: +*`rsa.misc.nwwn`*:: + -- type: keyword -- -*`microsoft.rsa.misc.object`*:: +*`rsa.misc.object`*:: + -- type: keyword -- -*`microsoft.rsa.misc.operation`*:: +*`rsa.misc.operation`*:: + -- type: keyword -- -*`microsoft.rsa.misc.opkt`*:: +*`rsa.misc.opkt`*:: + -- type: keyword -- -*`microsoft.rsa.misc.orig_from`*:: +*`rsa.misc.orig_from`*:: + -- type: keyword -- -*`microsoft.rsa.misc.owner_id`*:: +*`rsa.misc.owner_id`*:: + -- type: keyword -- -*`microsoft.rsa.misc.p_action`*:: +*`rsa.misc.p_action`*:: + -- type: keyword -- -*`microsoft.rsa.misc.p_filter`*:: +*`rsa.misc.p_filter`*:: + -- type: keyword -- -*`microsoft.rsa.misc.p_group_object`*:: +*`rsa.misc.p_group_object`*:: + -- type: keyword -- -*`microsoft.rsa.misc.p_id`*:: +*`rsa.misc.p_id`*:: + -- type: keyword -- -*`microsoft.rsa.misc.p_msgid1`*:: +*`rsa.misc.p_msgid1`*:: + -- type: keyword -- -*`microsoft.rsa.misc.p_msgid2`*:: +*`rsa.misc.p_msgid2`*:: + -- type: keyword -- -*`microsoft.rsa.misc.p_result1`*:: +*`rsa.misc.p_result1`*:: + -- type: keyword -- -*`microsoft.rsa.misc.password_chg`*:: +*`rsa.misc.password_chg`*:: + -- type: keyword -- -*`microsoft.rsa.misc.password_expire`*:: +*`rsa.misc.password_expire`*:: + -- type: keyword -- -*`microsoft.rsa.misc.permgranted`*:: +*`rsa.misc.permgranted`*:: + -- type: keyword -- -*`microsoft.rsa.misc.permwanted`*:: +*`rsa.misc.permwanted`*:: + -- type: keyword -- -*`microsoft.rsa.misc.pgid`*:: +*`rsa.misc.pgid`*:: + -- type: keyword -- -*`microsoft.rsa.misc.policyUUID`*:: +*`rsa.misc.policyUUID`*:: + -- type: keyword -- -*`microsoft.rsa.misc.prog_asp_num`*:: +*`rsa.misc.prog_asp_num`*:: + -- type: keyword -- -*`microsoft.rsa.misc.program`*:: +*`rsa.misc.program`*:: + -- type: keyword -- -*`microsoft.rsa.misc.real_data`*:: +*`rsa.misc.real_data`*:: + -- type: keyword -- -*`microsoft.rsa.misc.rec_asp_device`*:: +*`rsa.misc.rec_asp_device`*:: + -- type: keyword -- -*`microsoft.rsa.misc.rec_asp_num`*:: +*`rsa.misc.rec_asp_num`*:: + -- type: keyword -- -*`microsoft.rsa.misc.rec_library`*:: +*`rsa.misc.rec_library`*:: + -- type: keyword -- -*`microsoft.rsa.misc.recordnum`*:: +*`rsa.misc.recordnum`*:: + -- type: keyword -- -*`microsoft.rsa.misc.ruid`*:: +*`rsa.misc.ruid`*:: + -- type: keyword -- -*`microsoft.rsa.misc.sburb`*:: +*`rsa.misc.sburb`*:: + -- type: keyword -- -*`microsoft.rsa.misc.sdomain_fld`*:: +*`rsa.misc.sdomain_fld`*:: + -- type: keyword -- -*`microsoft.rsa.misc.sec`*:: +*`rsa.misc.sec`*:: + -- type: keyword -- -*`microsoft.rsa.misc.sensorname`*:: +*`rsa.misc.sensorname`*:: + -- type: keyword -- -*`microsoft.rsa.misc.seqnum`*:: +*`rsa.misc.seqnum`*:: + -- type: keyword -- -*`microsoft.rsa.misc.session`*:: +*`rsa.misc.session`*:: + -- type: keyword -- -*`microsoft.rsa.misc.sessiontype`*:: +*`rsa.misc.sessiontype`*:: + -- type: keyword -- -*`microsoft.rsa.misc.sigUUID`*:: +*`rsa.misc.sigUUID`*:: + -- type: keyword -- -*`microsoft.rsa.misc.spi`*:: +*`rsa.misc.spi`*:: + -- type: keyword -- -*`microsoft.rsa.misc.srcburb`*:: +*`rsa.misc.srcburb`*:: + -- type: keyword -- -*`microsoft.rsa.misc.srcdom`*:: +*`rsa.misc.srcdom`*:: + -- type: keyword -- -*`microsoft.rsa.misc.srcservice`*:: +*`rsa.misc.srcservice`*:: + -- type: keyword -- -*`microsoft.rsa.misc.state`*:: +*`rsa.misc.state`*:: + -- type: keyword -- -*`microsoft.rsa.misc.status1`*:: +*`rsa.misc.status1`*:: + -- type: keyword -- -*`microsoft.rsa.misc.svcno`*:: +*`rsa.misc.svcno`*:: + -- type: keyword -- -*`microsoft.rsa.misc.system`*:: +*`rsa.misc.system`*:: + -- type: keyword -- -*`microsoft.rsa.misc.tbdstr1`*:: +*`rsa.misc.tbdstr1`*:: + -- type: keyword -- -*`microsoft.rsa.misc.tgtdom`*:: +*`rsa.misc.tgtdom`*:: + -- type: keyword -- -*`microsoft.rsa.misc.tgtdomain`*:: +*`rsa.misc.tgtdomain`*:: + -- type: keyword -- -*`microsoft.rsa.misc.threshold`*:: +*`rsa.misc.threshold`*:: + -- type: keyword -- -*`microsoft.rsa.misc.type1`*:: +*`rsa.misc.type1`*:: + -- type: keyword -- -*`microsoft.rsa.misc.udb_class`*:: +*`rsa.misc.udb_class`*:: + -- type: keyword -- -*`microsoft.rsa.misc.url_fld`*:: +*`rsa.misc.url_fld`*:: + -- type: keyword -- -*`microsoft.rsa.misc.user_div`*:: +*`rsa.misc.user_div`*:: + -- type: keyword -- -*`microsoft.rsa.misc.userid`*:: +*`rsa.misc.userid`*:: + -- type: keyword -- -*`microsoft.rsa.misc.username_fld`*:: +*`rsa.misc.username_fld`*:: + -- type: keyword -- -*`microsoft.rsa.misc.utcstamp`*:: +*`rsa.misc.utcstamp`*:: + -- type: keyword -- -*`microsoft.rsa.misc.v_instafname`*:: +*`rsa.misc.v_instafname`*:: + -- type: keyword -- -*`microsoft.rsa.misc.virt_data`*:: +*`rsa.misc.virt_data`*:: + -- type: keyword -- -*`microsoft.rsa.misc.vpnid`*:: +*`rsa.misc.vpnid`*:: + -- type: keyword -- -*`microsoft.rsa.misc.autorun_type`*:: +*`rsa.misc.autorun_type`*:: + -- This is used to capture Auto Run type @@ -90532,7 +90938,7 @@ type: keyword -- -*`microsoft.rsa.misc.cc_number`*:: +*`rsa.misc.cc_number`*:: + -- Valid Credit Card Numbers only @@ -90541,7 +90947,7 @@ type: long -- -*`microsoft.rsa.misc.content`*:: +*`rsa.misc.content`*:: + -- This key captures the content type from protocol headers @@ -90550,7 +90956,7 @@ type: keyword -- -*`microsoft.rsa.misc.ein_number`*:: +*`rsa.misc.ein_number`*:: + -- Employee Identification Numbers only @@ -90559,7 +90965,7 @@ type: long -- -*`microsoft.rsa.misc.found`*:: +*`rsa.misc.found`*:: + -- This is used to capture the results of regex match @@ -90568,7 +90974,7 @@ type: keyword -- -*`microsoft.rsa.misc.language`*:: +*`rsa.misc.language`*:: + -- This is used to capture list of languages the client support and what it prefers @@ -90577,7 +90983,7 @@ type: keyword -- -*`microsoft.rsa.misc.lifetime`*:: +*`rsa.misc.lifetime`*:: + -- This key is used to capture the session lifetime in seconds. @@ -90586,7 +90992,7 @@ type: long -- -*`microsoft.rsa.misc.link`*:: +*`rsa.misc.link`*:: + -- This key is used to link the sessions together. This key should never be used to parse Meta data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness @@ -90595,7 +91001,7 @@ type: keyword -- -*`microsoft.rsa.misc.match`*:: +*`rsa.misc.match`*:: + -- This key is for regex match name from search.ini @@ -90604,7 +91010,7 @@ type: keyword -- -*`microsoft.rsa.misc.param_dst`*:: +*`rsa.misc.param_dst`*:: + -- This key captures the command line/launch argument of the target process or file @@ -90613,7 +91019,7 @@ type: keyword -- -*`microsoft.rsa.misc.param_src`*:: +*`rsa.misc.param_src`*:: + -- This key captures source parameter @@ -90622,7 +91028,7 @@ type: keyword -- -*`microsoft.rsa.misc.search_text`*:: +*`rsa.misc.search_text`*:: + -- This key captures the Search Text used @@ -90631,7 +91037,7 @@ type: keyword -- -*`microsoft.rsa.misc.sig_name`*:: +*`rsa.misc.sig_name`*:: + -- This key is used to capture the Signature Name only. @@ -90640,7 +91046,7 @@ type: keyword -- -*`microsoft.rsa.misc.snmp_value`*:: +*`rsa.misc.snmp_value`*:: + -- SNMP set request value @@ -90649,7 +91055,7 @@ type: keyword -- -*`microsoft.rsa.misc.streams`*:: +*`rsa.misc.streams`*:: + -- This key captures number of streams in session @@ -90659,7 +91065,7 @@ type: long -- -*`microsoft.rsa.db.index`*:: +*`rsa.db.index`*:: + -- This key captures IndexID of the index. @@ -90668,7 +91074,7 @@ type: keyword -- -*`microsoft.rsa.db.instance`*:: +*`rsa.db.instance`*:: + -- This key is used to capture the database server instance name @@ -90677,7 +91083,7 @@ type: keyword -- -*`microsoft.rsa.db.database`*:: +*`rsa.db.database`*:: + -- This key is used to capture the name of a database or an instance as seen in a session @@ -90686,7 +91092,7 @@ type: keyword -- -*`microsoft.rsa.db.transact_id`*:: +*`rsa.db.transact_id`*:: + -- This key captures the SQL transantion ID of the current session @@ -90695,7 +91101,7 @@ type: keyword -- -*`microsoft.rsa.db.permissions`*:: +*`rsa.db.permissions`*:: + -- This key captures permission or privilege level assigned to a resource. @@ -90704,7 +91110,7 @@ type: keyword -- -*`microsoft.rsa.db.table_name`*:: +*`rsa.db.table_name`*:: + -- This key is used to capture the table name @@ -90713,7 +91119,7 @@ type: keyword -- -*`microsoft.rsa.db.db_id`*:: +*`rsa.db.db_id`*:: + -- This key is used to capture the unique identifier for a database @@ -90722,7 +91128,7 @@ type: keyword -- -*`microsoft.rsa.db.db_pid`*:: +*`rsa.db.db_pid`*:: + -- This key captures the process id of a connection with database server @@ -90731,7 +91137,7 @@ type: long -- -*`microsoft.rsa.db.lread`*:: +*`rsa.db.lread`*:: + -- This key is used for the number of logical reads @@ -90740,7 +91146,7 @@ type: long -- -*`microsoft.rsa.db.lwrite`*:: +*`rsa.db.lwrite`*:: + -- This key is used for the number of logical writes @@ -90749,7 +91155,7 @@ type: long -- -*`microsoft.rsa.db.pread`*:: +*`rsa.db.pread`*:: + -- This key is used for the number of physical writes @@ -90759,7 +91165,7 @@ type: long -- -*`microsoft.rsa.network.alias_host`*:: +*`rsa.network.alias_host`*:: + -- This key should be used when the source or destination context of a hostname is not clear.Also it captures the Device Hostname. Any Hostname that isnt ad.computer. @@ -90768,14 +91174,14 @@ type: keyword -- -*`microsoft.rsa.network.domain`*:: +*`rsa.network.domain`*:: + -- type: keyword -- -*`microsoft.rsa.network.host_dst`*:: +*`rsa.network.host_dst`*:: + -- This key should only be used when it’s a Destination Hostname @@ -90784,7 +91190,7 @@ type: keyword -- -*`microsoft.rsa.network.network_service`*:: +*`rsa.network.network_service`*:: + -- This is used to capture layer 7 protocols/service names @@ -90793,7 +91199,7 @@ type: keyword -- -*`microsoft.rsa.network.interface`*:: +*`rsa.network.interface`*:: + -- This key should be used when the source or destination context of an interface is not clear @@ -90802,7 +91208,7 @@ type: keyword -- -*`microsoft.rsa.network.network_port`*:: +*`rsa.network.network_port`*:: + -- Deprecated, use port. NOTE: There is a type discrepancy as currently used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!) @@ -90811,7 +91217,7 @@ type: long -- -*`microsoft.rsa.network.eth_host`*:: +*`rsa.network.eth_host`*:: + -- Deprecated, use alias.mac @@ -90820,7 +91226,7 @@ type: keyword -- -*`microsoft.rsa.network.sinterface`*:: +*`rsa.network.sinterface`*:: + -- This key should only be used when it’s a Source Interface @@ -90829,7 +91235,7 @@ type: keyword -- -*`microsoft.rsa.network.dinterface`*:: +*`rsa.network.dinterface`*:: + -- This key should only be used when it’s a Destination Interface @@ -90838,7 +91244,7 @@ type: keyword -- -*`microsoft.rsa.network.vlan`*:: +*`rsa.network.vlan`*:: + -- This key should only be used to capture the ID of the Virtual LAN @@ -90847,7 +91253,7 @@ type: long -- -*`microsoft.rsa.network.zone_src`*:: +*`rsa.network.zone_src`*:: + -- This key should only be used when it’s a Source Zone. @@ -90856,7 +91262,7 @@ type: keyword -- -*`microsoft.rsa.network.zone`*:: +*`rsa.network.zone`*:: + -- This key should be used when the source or destination context of a Zone is not clear @@ -90865,7 +91271,7 @@ type: keyword -- -*`microsoft.rsa.network.zone_dst`*:: +*`rsa.network.zone_dst`*:: + -- This key should only be used when it’s a Destination Zone. @@ -90874,7 +91280,7 @@ type: keyword -- -*`microsoft.rsa.network.gateway`*:: +*`rsa.network.gateway`*:: + -- This key is used to capture the IP Address of the gateway @@ -90883,7 +91289,7 @@ type: keyword -- -*`microsoft.rsa.network.icmp_type`*:: +*`rsa.network.icmp_type`*:: + -- This key is used to capture the ICMP type only @@ -90892,7 +91298,7 @@ type: long -- -*`microsoft.rsa.network.mask`*:: +*`rsa.network.mask`*:: + -- This key is used to capture the device network IPmask. @@ -90901,7 +91307,7 @@ type: keyword -- -*`microsoft.rsa.network.icmp_code`*:: +*`rsa.network.icmp_code`*:: + -- This key is used to capture the ICMP code only @@ -90910,7 +91316,7 @@ type: long -- -*`microsoft.rsa.network.protocol_detail`*:: +*`rsa.network.protocol_detail`*:: + -- This key should be used to capture additional protocol information @@ -90919,7 +91325,7 @@ type: keyword -- -*`microsoft.rsa.network.dmask`*:: +*`rsa.network.dmask`*:: + -- This key is used for Destionation Device network mask @@ -90928,7 +91334,7 @@ type: keyword -- -*`microsoft.rsa.network.port`*:: +*`rsa.network.port`*:: + -- This key should only be used to capture a Network Port when the directionality is not clear @@ -90937,7 +91343,7 @@ type: long -- -*`microsoft.rsa.network.smask`*:: +*`rsa.network.smask`*:: + -- This key is used for capturing source Network Mask @@ -90946,7 +91352,7 @@ type: keyword -- -*`microsoft.rsa.network.netname`*:: +*`rsa.network.netname`*:: + -- This key is used to capture the network name associated with an IP range. This is configured by the end user. @@ -90955,7 +91361,7 @@ type: keyword -- -*`microsoft.rsa.network.paddr`*:: +*`rsa.network.paddr`*:: + -- Deprecated @@ -90964,91 +91370,91 @@ type: ip -- -*`microsoft.rsa.network.faddr`*:: +*`rsa.network.faddr`*:: + -- type: keyword -- -*`microsoft.rsa.network.lhost`*:: +*`rsa.network.lhost`*:: + -- type: keyword -- -*`microsoft.rsa.network.origin`*:: +*`rsa.network.origin`*:: + -- type: keyword -- -*`microsoft.rsa.network.remote_domain_id`*:: +*`rsa.network.remote_domain_id`*:: + -- type: keyword -- -*`microsoft.rsa.network.addr`*:: +*`rsa.network.addr`*:: + -- type: keyword -- -*`microsoft.rsa.network.dns_a_record`*:: +*`rsa.network.dns_a_record`*:: + -- type: keyword -- -*`microsoft.rsa.network.dns_ptr_record`*:: +*`rsa.network.dns_ptr_record`*:: + -- type: keyword -- -*`microsoft.rsa.network.fhost`*:: +*`rsa.network.fhost`*:: + -- type: keyword -- -*`microsoft.rsa.network.fport`*:: +*`rsa.network.fport`*:: + -- type: keyword -- -*`microsoft.rsa.network.laddr`*:: +*`rsa.network.laddr`*:: + -- type: keyword -- -*`microsoft.rsa.network.linterface`*:: +*`rsa.network.linterface`*:: + -- type: keyword -- -*`microsoft.rsa.network.phost`*:: +*`rsa.network.phost`*:: + -- type: keyword -- -*`microsoft.rsa.network.ad_computer_dst`*:: +*`rsa.network.ad_computer_dst`*:: + -- Deprecated, use host.dst @@ -91057,7 +91463,7 @@ type: keyword -- -*`microsoft.rsa.network.eth_type`*:: +*`rsa.network.eth_type`*:: + -- This key is used to capture Ethernet Type, Used for Layer 3 Protocols Only @@ -91066,7 +91472,7 @@ type: long -- -*`microsoft.rsa.network.ip_proto`*:: +*`rsa.network.ip_proto`*:: + -- This key should be used to capture the Protocol number, all the protocol nubers are converted into string in UI @@ -91075,63 +91481,63 @@ type: long -- -*`microsoft.rsa.network.dns_cname_record`*:: +*`rsa.network.dns_cname_record`*:: + -- type: keyword -- -*`microsoft.rsa.network.dns_id`*:: +*`rsa.network.dns_id`*:: + -- type: keyword -- -*`microsoft.rsa.network.dns_opcode`*:: +*`rsa.network.dns_opcode`*:: + -- type: keyword -- -*`microsoft.rsa.network.dns_resp`*:: +*`rsa.network.dns_resp`*:: + -- type: keyword -- -*`microsoft.rsa.network.dns_type`*:: +*`rsa.network.dns_type`*:: + -- type: keyword -- -*`microsoft.rsa.network.domain1`*:: +*`rsa.network.domain1`*:: + -- type: keyword -- -*`microsoft.rsa.network.host_type`*:: +*`rsa.network.host_type`*:: + -- type: keyword -- -*`microsoft.rsa.network.packet_length`*:: +*`rsa.network.packet_length`*:: + -- type: keyword -- -*`microsoft.rsa.network.host_orig`*:: +*`rsa.network.host_orig`*:: + -- This is used to capture the original hostname in case of a Forwarding Agent or a Proxy in between. @@ -91140,7 +91546,7 @@ type: keyword -- -*`microsoft.rsa.network.rpayload`*:: +*`rsa.network.rpayload`*:: + -- This key is used to capture the total number of payload bytes seen in the retransmitted packets. @@ -91149,7 +91555,7 @@ type: keyword -- -*`microsoft.rsa.network.vlan_name`*:: +*`rsa.network.vlan_name`*:: + -- This key should only be used to capture the name of the Virtual LAN @@ -91159,7 +91565,7 @@ type: keyword -- -*`microsoft.rsa.investigations.ec_activity`*:: +*`rsa.investigations.ec_activity`*:: + -- This key captures the particular event activity(Ex:Logoff) @@ -91168,7 +91574,7 @@ type: keyword -- -*`microsoft.rsa.investigations.ec_theme`*:: +*`rsa.investigations.ec_theme`*:: + -- This key captures the Theme of a particular Event(Ex:Authentication) @@ -91177,7 +91583,7 @@ type: keyword -- -*`microsoft.rsa.investigations.ec_subject`*:: +*`rsa.investigations.ec_subject`*:: + -- This key captures the Subject of a particular Event(Ex:User) @@ -91186,7 +91592,7 @@ type: keyword -- -*`microsoft.rsa.investigations.ec_outcome`*:: +*`rsa.investigations.ec_outcome`*:: + -- This key captures the outcome of a particular Event(Ex:Success) @@ -91195,7 +91601,7 @@ type: keyword -- -*`microsoft.rsa.investigations.event_cat`*:: +*`rsa.investigations.event_cat`*:: + -- This key captures the Event category number @@ -91204,7 +91610,7 @@ type: long -- -*`microsoft.rsa.investigations.event_cat_name`*:: +*`rsa.investigations.event_cat_name`*:: + -- This key captures the event category name corresponding to the event cat code @@ -91213,7 +91619,7 @@ type: keyword -- -*`microsoft.rsa.investigations.event_vcat`*:: +*`rsa.investigations.event_vcat`*:: + -- This is a vendor supplied category. This should be used in situations where the vendor has adopted their own event_category taxonomy. @@ -91222,7 +91628,7 @@ type: keyword -- -*`microsoft.rsa.investigations.analysis_file`*:: +*`rsa.investigations.analysis_file`*:: + -- This is used to capture all indicators used in a File Analysis. This key should be used to capture an analysis of a file @@ -91231,7 +91637,7 @@ type: keyword -- -*`microsoft.rsa.investigations.analysis_service`*:: +*`rsa.investigations.analysis_service`*:: + -- This is used to capture all indicators used in a Service Analysis. This key should be used to capture an analysis of a service @@ -91240,7 +91646,7 @@ type: keyword -- -*`microsoft.rsa.investigations.analysis_session`*:: +*`rsa.investigations.analysis_session`*:: + -- This is used to capture all indicators used for a Session Analysis. This key should be used to capture an analysis of a session @@ -91249,7 +91655,7 @@ type: keyword -- -*`microsoft.rsa.investigations.boc`*:: +*`rsa.investigations.boc`*:: + -- This is used to capture behaviour of compromise @@ -91258,7 +91664,7 @@ type: keyword -- -*`microsoft.rsa.investigations.eoc`*:: +*`rsa.investigations.eoc`*:: + -- This is used to capture Enablers of Compromise @@ -91267,7 +91673,7 @@ type: keyword -- -*`microsoft.rsa.investigations.inv_category`*:: +*`rsa.investigations.inv_category`*:: + -- This used to capture investigation category @@ -91276,7 +91682,7 @@ type: keyword -- -*`microsoft.rsa.investigations.inv_context`*:: +*`rsa.investigations.inv_context`*:: + -- This used to capture investigation context @@ -91285,7 +91691,7 @@ type: keyword -- -*`microsoft.rsa.investigations.ioc`*:: +*`rsa.investigations.ioc`*:: + -- This is key capture indicator of compromise @@ -91295,7 +91701,7 @@ type: keyword -- -*`microsoft.rsa.counters.dclass_c1`*:: +*`rsa.counters.dclass_c1`*:: + -- This is a generic counter key that should be used with the label dclass.c1.str only @@ -91304,7 +91710,7 @@ type: long -- -*`microsoft.rsa.counters.dclass_c2`*:: +*`rsa.counters.dclass_c2`*:: + -- This is a generic counter key that should be used with the label dclass.c2.str only @@ -91313,7 +91719,7 @@ type: long -- -*`microsoft.rsa.counters.event_counter`*:: +*`rsa.counters.event_counter`*:: + -- This is used to capture the number of times an event repeated @@ -91322,7 +91728,7 @@ type: long -- -*`microsoft.rsa.counters.dclass_r1`*:: +*`rsa.counters.dclass_r1`*:: + -- This is a generic ratio key that should be used with the label dclass.r1.str only @@ -91331,7 +91737,7 @@ type: keyword -- -*`microsoft.rsa.counters.dclass_c3`*:: +*`rsa.counters.dclass_c3`*:: + -- This is a generic counter key that should be used with the label dclass.c3.str only @@ -91340,7 +91746,7 @@ type: long -- -*`microsoft.rsa.counters.dclass_c1_str`*:: +*`rsa.counters.dclass_c1_str`*:: + -- This is a generic counter string key that should be used with the label dclass.c1 only @@ -91349,7 +91755,7 @@ type: keyword -- -*`microsoft.rsa.counters.dclass_c2_str`*:: +*`rsa.counters.dclass_c2_str`*:: + -- This is a generic counter string key that should be used with the label dclass.c2 only @@ -91358,7 +91764,7 @@ type: keyword -- -*`microsoft.rsa.counters.dclass_r1_str`*:: +*`rsa.counters.dclass_r1_str`*:: + -- This is a generic ratio string key that should be used with the label dclass.r1 only @@ -91367,7 +91773,7 @@ type: keyword -- -*`microsoft.rsa.counters.dclass_r2`*:: +*`rsa.counters.dclass_r2`*:: + -- This is a generic ratio key that should be used with the label dclass.r2.str only @@ -91376,7 +91782,7 @@ type: keyword -- -*`microsoft.rsa.counters.dclass_c3_str`*:: +*`rsa.counters.dclass_c3_str`*:: + -- This is a generic counter string key that should be used with the label dclass.c3 only @@ -91385,7 +91791,7 @@ type: keyword -- -*`microsoft.rsa.counters.dclass_r3`*:: +*`rsa.counters.dclass_r3`*:: + -- This is a generic ratio key that should be used with the label dclass.r3.str only @@ -91394,7 +91800,7 @@ type: keyword -- -*`microsoft.rsa.counters.dclass_r2_str`*:: +*`rsa.counters.dclass_r2_str`*:: + -- This is a generic ratio string key that should be used with the label dclass.r2 only @@ -91403,7 +91809,7 @@ type: keyword -- -*`microsoft.rsa.counters.dclass_r3_str`*:: +*`rsa.counters.dclass_r3_str`*:: + -- This is a generic ratio string key that should be used with the label dclass.r3 only @@ -91413,7 +91819,7 @@ type: keyword -- -*`microsoft.rsa.identity.auth_method`*:: +*`rsa.identity.auth_method`*:: + -- This key is used to capture authentication methods used only @@ -91422,7 +91828,7 @@ type: keyword -- -*`microsoft.rsa.identity.user_role`*:: +*`rsa.identity.user_role`*:: + -- This key is used to capture the Role of a user only @@ -91431,7 +91837,7 @@ type: keyword -- -*`microsoft.rsa.identity.dn`*:: +*`rsa.identity.dn`*:: + -- X.500 (LDAP) Distinguished Name @@ -91440,7 +91846,7 @@ type: keyword -- -*`microsoft.rsa.identity.logon_type`*:: +*`rsa.identity.logon_type`*:: + -- This key is used to capture the type of logon method used. @@ -91449,7 +91855,7 @@ type: keyword -- -*`microsoft.rsa.identity.profile`*:: +*`rsa.identity.profile`*:: + -- This key is used to capture the user profile @@ -91458,7 +91864,7 @@ type: keyword -- -*`microsoft.rsa.identity.accesses`*:: +*`rsa.identity.accesses`*:: + -- This key is used to capture actual privileges used in accessing an object @@ -91467,7 +91873,7 @@ type: keyword -- -*`microsoft.rsa.identity.realm`*:: +*`rsa.identity.realm`*:: + -- Radius realm or similar grouping of accounts @@ -91476,7 +91882,7 @@ type: keyword -- -*`microsoft.rsa.identity.user_sid_dst`*:: +*`rsa.identity.user_sid_dst`*:: + -- This key captures Destination User Session ID @@ -91485,7 +91891,7 @@ type: keyword -- -*`microsoft.rsa.identity.dn_src`*:: +*`rsa.identity.dn_src`*:: + -- An X.500 (LDAP) Distinguished name that is used in a context that indicates a Source dn @@ -91494,7 +91900,7 @@ type: keyword -- -*`microsoft.rsa.identity.org`*:: +*`rsa.identity.org`*:: + -- This key captures the User organization @@ -91503,7 +91909,7 @@ type: keyword -- -*`microsoft.rsa.identity.dn_dst`*:: +*`rsa.identity.dn_dst`*:: + -- An X.500 (LDAP) Distinguished name that used in a context that indicates a Destination dn @@ -91512,7 +91918,7 @@ type: keyword -- -*`microsoft.rsa.identity.firstname`*:: +*`rsa.identity.firstname`*:: + -- This key is for First Names only, this is used for Healthcare predominantly to capture Patients information @@ -91521,7 +91927,7 @@ type: keyword -- -*`microsoft.rsa.identity.lastname`*:: +*`rsa.identity.lastname`*:: + -- This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information @@ -91530,7 +91936,7 @@ type: keyword -- -*`microsoft.rsa.identity.user_dept`*:: +*`rsa.identity.user_dept`*:: + -- User's Department Names only @@ -91539,7 +91945,7 @@ type: keyword -- -*`microsoft.rsa.identity.user_sid_src`*:: +*`rsa.identity.user_sid_src`*:: + -- This key captures Source User Session ID @@ -91548,7 +91954,7 @@ type: keyword -- -*`microsoft.rsa.identity.federated_sp`*:: +*`rsa.identity.federated_sp`*:: + -- This key is the Federated Service Provider. This is the application requesting authentication. @@ -91557,7 +91963,7 @@ type: keyword -- -*`microsoft.rsa.identity.federated_idp`*:: +*`rsa.identity.federated_idp`*:: + -- This key is the federated Identity Provider. This is the server providing the authentication. @@ -91566,7 +91972,7 @@ type: keyword -- -*`microsoft.rsa.identity.logon_type_desc`*:: +*`rsa.identity.logon_type_desc`*:: + -- This key is used to capture the textual description of an integer logon type as stored in the meta key 'logon.type'. @@ -91575,7 +91981,7 @@ type: keyword -- -*`microsoft.rsa.identity.middlename`*:: +*`rsa.identity.middlename`*:: + -- This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information @@ -91584,7 +91990,7 @@ type: keyword -- -*`microsoft.rsa.identity.password`*:: +*`rsa.identity.password`*:: + -- This key is for Passwords seen in any session, plain text or encrypted @@ -91593,7 +91999,7 @@ type: keyword -- -*`microsoft.rsa.identity.host_role`*:: +*`rsa.identity.host_role`*:: + -- This key should only be used to capture the role of a Host Machine @@ -91602,7 +92008,7 @@ type: keyword -- -*`microsoft.rsa.identity.ldap`*:: +*`rsa.identity.ldap`*:: + -- This key is for Uninterpreted LDAP values. Ldap Values that don’t have a clear query or response context @@ -91611,7 +92017,7 @@ type: keyword -- -*`microsoft.rsa.identity.ldap_query`*:: +*`rsa.identity.ldap_query`*:: + -- This key is the Search criteria from an LDAP search @@ -91620,7 +92026,7 @@ type: keyword -- -*`microsoft.rsa.identity.ldap_response`*:: +*`rsa.identity.ldap_response`*:: + -- This key is to capture Results from an LDAP search @@ -91629,7 +92035,7 @@ type: keyword -- -*`microsoft.rsa.identity.owner`*:: +*`rsa.identity.owner`*:: + -- This is used to capture username the process or service is running as, the author of the task @@ -91638,7 +92044,7 @@ type: keyword -- -*`microsoft.rsa.identity.service_account`*:: +*`rsa.identity.service_account`*:: + -- This key is a windows specific key, used for capturing name of the account a service (referenced in the event) is running under. Legacy Usage @@ -91648,7 +92054,7 @@ type: keyword -- -*`microsoft.rsa.email.email_dst`*:: +*`rsa.email.email_dst`*:: + -- This key is used to capture the Destination email address only, when the destination context is not clear use email @@ -91657,7 +92063,7 @@ type: keyword -- -*`microsoft.rsa.email.email_src`*:: +*`rsa.email.email_src`*:: + -- This key is used to capture the source email address only, when the source context is not clear use email @@ -91666,7 +92072,7 @@ type: keyword -- -*`microsoft.rsa.email.subject`*:: +*`rsa.email.subject`*:: + -- This key is used to capture the subject string from an Email only. @@ -91675,7 +92081,7 @@ type: keyword -- -*`microsoft.rsa.email.email`*:: +*`rsa.email.email`*:: + -- This key is used to capture a generic email address where the source or destination context is not clear @@ -91684,7 +92090,7 @@ type: keyword -- -*`microsoft.rsa.email.trans_from`*:: +*`rsa.email.trans_from`*:: + -- Deprecated key defined only in table map. @@ -91693,7 +92099,7 @@ type: keyword -- -*`microsoft.rsa.email.trans_to`*:: +*`rsa.email.trans_to`*:: + -- Deprecated key defined only in table map. @@ -91703,7 +92109,7 @@ type: keyword -- -*`microsoft.rsa.file.privilege`*:: +*`rsa.file.privilege`*:: + -- Deprecated, use permissions @@ -91712,7 +92118,7 @@ type: keyword -- -*`microsoft.rsa.file.attachment`*:: +*`rsa.file.attachment`*:: + -- This key captures the attachment file name @@ -91721,14 +92127,14 @@ type: keyword -- -*`microsoft.rsa.file.filesystem`*:: +*`rsa.file.filesystem`*:: + -- type: keyword -- -*`microsoft.rsa.file.binary`*:: +*`rsa.file.binary`*:: + -- Deprecated key defined only in table map. @@ -91737,7 +92143,7 @@ type: keyword -- -*`microsoft.rsa.file.filename_dst`*:: +*`rsa.file.filename_dst`*:: + -- This is used to capture name of the file targeted by the action @@ -91746,7 +92152,7 @@ type: keyword -- -*`microsoft.rsa.file.filename_src`*:: +*`rsa.file.filename_src`*:: + -- This is used to capture name of the parent filename, the file which performed the action @@ -91755,14 +92161,14 @@ type: keyword -- -*`microsoft.rsa.file.filename_tmp`*:: +*`rsa.file.filename_tmp`*:: + -- type: keyword -- -*`microsoft.rsa.file.directory_dst`*:: +*`rsa.file.directory_dst`*:: + -- This key is used to capture the directory of the target process or file @@ -91771,7 +92177,7 @@ type: keyword -- -*`microsoft.rsa.file.directory_src`*:: +*`rsa.file.directory_src`*:: + -- This key is used to capture the directory of the source process or file @@ -91780,7 +92186,7 @@ type: keyword -- -*`microsoft.rsa.file.file_entropy`*:: +*`rsa.file.file_entropy`*:: + -- This is used to capture entropy vale of a file @@ -91789,7 +92195,7 @@ type: double -- -*`microsoft.rsa.file.file_vendor`*:: +*`rsa.file.file_vendor`*:: + -- This is used to capture Company name of file located in version_info @@ -91798,7 +92204,7 @@ type: keyword -- -*`microsoft.rsa.file.task_name`*:: +*`rsa.file.task_name`*:: + -- This is used to capture name of the task @@ -91808,7 +92214,7 @@ type: keyword -- -*`microsoft.rsa.web.fqdn`*:: +*`rsa.web.fqdn`*:: + -- Fully Qualified Domain Names @@ -91817,7 +92223,7 @@ type: keyword -- -*`microsoft.rsa.web.web_cookie`*:: +*`rsa.web.web_cookie`*:: + -- This key is used to capture the Web cookies specifically. @@ -91826,14 +92232,14 @@ type: keyword -- -*`microsoft.rsa.web.alias_host`*:: +*`rsa.web.alias_host`*:: + -- type: keyword -- -*`microsoft.rsa.web.reputation_num`*:: +*`rsa.web.reputation_num`*:: + -- Reputation Number of an entity. Typically used for Web Domains @@ -91842,7 +92248,7 @@ type: double -- -*`microsoft.rsa.web.web_ref_domain`*:: +*`rsa.web.web_ref_domain`*:: + -- Web referer's domain @@ -91851,7 +92257,7 @@ type: keyword -- -*`microsoft.rsa.web.web_ref_query`*:: +*`rsa.web.web_ref_query`*:: + -- This key captures Web referer's query portion of the URL @@ -91860,14 +92266,14 @@ type: keyword -- -*`microsoft.rsa.web.remote_domain`*:: +*`rsa.web.remote_domain`*:: + -- type: keyword -- -*`microsoft.rsa.web.web_ref_page`*:: +*`rsa.web.web_ref_page`*:: + -- This key captures Web referer's page information @@ -91876,7 +92282,7 @@ type: keyword -- -*`microsoft.rsa.web.web_ref_root`*:: +*`rsa.web.web_ref_root`*:: + -- Web referer's root URL path @@ -91885,77 +92291,77 @@ type: keyword -- -*`microsoft.rsa.web.cn_asn_dst`*:: +*`rsa.web.cn_asn_dst`*:: + -- type: keyword -- -*`microsoft.rsa.web.cn_rpackets`*:: +*`rsa.web.cn_rpackets`*:: + -- type: keyword -- -*`microsoft.rsa.web.urlpage`*:: +*`rsa.web.urlpage`*:: + -- type: keyword -- -*`microsoft.rsa.web.urlroot`*:: +*`rsa.web.urlroot`*:: + -- type: keyword -- -*`microsoft.rsa.web.p_url`*:: +*`rsa.web.p_url`*:: + -- type: keyword -- -*`microsoft.rsa.web.p_user_agent`*:: +*`rsa.web.p_user_agent`*:: + -- type: keyword -- -*`microsoft.rsa.web.p_web_cookie`*:: +*`rsa.web.p_web_cookie`*:: + -- type: keyword -- -*`microsoft.rsa.web.p_web_method`*:: +*`rsa.web.p_web_method`*:: + -- type: keyword -- -*`microsoft.rsa.web.p_web_referer`*:: +*`rsa.web.p_web_referer`*:: + -- type: keyword -- -*`microsoft.rsa.web.web_extension_tmp`*:: +*`rsa.web.web_extension_tmp`*:: + -- type: keyword -- -*`microsoft.rsa.web.web_page`*:: +*`rsa.web.web_page`*:: + -- type: keyword @@ -91963,7 +92369,7 @@ type: keyword -- -*`microsoft.rsa.threat.threat_category`*:: +*`rsa.threat.threat_category`*:: + -- This key captures Threat Name/Threat Category/Categorization of alert @@ -91972,7 +92378,7 @@ type: keyword -- -*`microsoft.rsa.threat.threat_desc`*:: +*`rsa.threat.threat_desc`*:: + -- This key is used to capture the threat description from the session directly or inferred @@ -91981,7 +92387,7 @@ type: keyword -- -*`microsoft.rsa.threat.alert`*:: +*`rsa.threat.alert`*:: + -- This key is used to capture name of the alert @@ -91990,7 +92396,7 @@ type: keyword -- -*`microsoft.rsa.threat.threat_source`*:: +*`rsa.threat.threat_source`*:: + -- This key is used to capture source of the threat @@ -92000,7 +92406,7 @@ type: keyword -- -*`microsoft.rsa.crypto.crypto`*:: +*`rsa.crypto.crypto`*:: + -- This key is used to capture the Encryption Type or Encryption Key only @@ -92009,7 +92415,7 @@ type: keyword -- -*`microsoft.rsa.crypto.cipher_src`*:: +*`rsa.crypto.cipher_src`*:: + -- This key is for Source (Client) Cipher @@ -92018,7 +92424,7 @@ type: keyword -- -*`microsoft.rsa.crypto.cert_subject`*:: +*`rsa.crypto.cert_subject`*:: + -- This key is used to capture the Certificate organization only @@ -92027,7 +92433,7 @@ type: keyword -- -*`microsoft.rsa.crypto.peer`*:: +*`rsa.crypto.peer`*:: + -- This key is for Encryption peer's IP Address @@ -92036,7 +92442,7 @@ type: keyword -- -*`microsoft.rsa.crypto.cipher_size_src`*:: +*`rsa.crypto.cipher_size_src`*:: + -- This key captures Source (Client) Cipher Size @@ -92045,7 +92451,7 @@ type: long -- -*`microsoft.rsa.crypto.ike`*:: +*`rsa.crypto.ike`*:: + -- IKE negotiation phase. @@ -92054,7 +92460,7 @@ type: keyword -- -*`microsoft.rsa.crypto.scheme`*:: +*`rsa.crypto.scheme`*:: + -- This key captures the Encryption scheme used @@ -92063,7 +92469,7 @@ type: keyword -- -*`microsoft.rsa.crypto.peer_id`*:: +*`rsa.crypto.peer_id`*:: + -- This key is for Encryption peer’s identity @@ -92072,7 +92478,7 @@ type: keyword -- -*`microsoft.rsa.crypto.sig_type`*:: +*`rsa.crypto.sig_type`*:: + -- This key captures the Signature Type @@ -92081,14 +92487,14 @@ type: keyword -- -*`microsoft.rsa.crypto.cert_issuer`*:: +*`rsa.crypto.cert_issuer`*:: + -- type: keyword -- -*`microsoft.rsa.crypto.cert_host_name`*:: +*`rsa.crypto.cert_host_name`*:: + -- Deprecated key defined only in table map. @@ -92097,7 +92503,7 @@ type: keyword -- -*`microsoft.rsa.crypto.cert_error`*:: +*`rsa.crypto.cert_error`*:: + -- This key captures the Certificate Error String @@ -92106,7 +92512,7 @@ type: keyword -- -*`microsoft.rsa.crypto.cipher_dst`*:: +*`rsa.crypto.cipher_dst`*:: + -- This key is for Destination (Server) Cipher @@ -92115,7 +92521,7 @@ type: keyword -- -*`microsoft.rsa.crypto.cipher_size_dst`*:: +*`rsa.crypto.cipher_size_dst`*:: + -- This key captures Destination (Server) Cipher Size @@ -92124,7 +92530,7 @@ type: long -- -*`microsoft.rsa.crypto.ssl_ver_src`*:: +*`rsa.crypto.ssl_ver_src`*:: + -- Deprecated, use version @@ -92133,21 +92539,21 @@ type: keyword -- -*`microsoft.rsa.crypto.d_certauth`*:: +*`rsa.crypto.d_certauth`*:: + -- type: keyword -- -*`microsoft.rsa.crypto.s_certauth`*:: +*`rsa.crypto.s_certauth`*:: + -- type: keyword -- -*`microsoft.rsa.crypto.ike_cookie1`*:: +*`rsa.crypto.ike_cookie1`*:: + -- ID of the negotiation — sent for ISAKMP Phase One @@ -92156,7 +92562,7 @@ type: keyword -- -*`microsoft.rsa.crypto.ike_cookie2`*:: +*`rsa.crypto.ike_cookie2`*:: + -- ID of the negotiation — sent for ISAKMP Phase Two @@ -92165,14 +92571,14 @@ type: keyword -- -*`microsoft.rsa.crypto.cert_checksum`*:: +*`rsa.crypto.cert_checksum`*:: + -- type: keyword -- -*`microsoft.rsa.crypto.cert_host_cat`*:: +*`rsa.crypto.cert_host_cat`*:: + -- This key is used for the hostname category value of a certificate @@ -92181,7 +92587,7 @@ type: keyword -- -*`microsoft.rsa.crypto.cert_serial`*:: +*`rsa.crypto.cert_serial`*:: + -- This key is used to capture the Certificate serial number only @@ -92190,7 +92596,7 @@ type: keyword -- -*`microsoft.rsa.crypto.cert_status`*:: +*`rsa.crypto.cert_status`*:: + -- This key captures Certificate validation status @@ -92199,7 +92605,7 @@ type: keyword -- -*`microsoft.rsa.crypto.ssl_ver_dst`*:: +*`rsa.crypto.ssl_ver_dst`*:: + -- Deprecated, use version @@ -92208,35 +92614,35 @@ type: keyword -- -*`microsoft.rsa.crypto.cert_keysize`*:: +*`rsa.crypto.cert_keysize`*:: + -- type: keyword -- -*`microsoft.rsa.crypto.cert_username`*:: +*`rsa.crypto.cert_username`*:: + -- type: keyword -- -*`microsoft.rsa.crypto.https_insact`*:: +*`rsa.crypto.https_insact`*:: + -- type: keyword -- -*`microsoft.rsa.crypto.https_valid`*:: +*`rsa.crypto.https_valid`*:: + -- type: keyword -- -*`microsoft.rsa.crypto.cert_ca`*:: +*`rsa.crypto.cert_ca`*:: + -- This key is used to capture the Certificate signing authority only @@ -92245,7 +92651,7 @@ type: keyword -- -*`microsoft.rsa.crypto.cert_common`*:: +*`rsa.crypto.cert_common`*:: + -- This key is used to capture the Certificate common name only @@ -92255,7 +92661,7 @@ type: keyword -- -*`microsoft.rsa.wireless.wlan_ssid`*:: +*`rsa.wireless.wlan_ssid`*:: + -- This key is used to capture the ssid of a Wireless Session @@ -92264,7 +92670,7 @@ type: keyword -- -*`microsoft.rsa.wireless.access_point`*:: +*`rsa.wireless.access_point`*:: + -- This key is used to capture the access point name. @@ -92273,7 +92679,7 @@ type: keyword -- -*`microsoft.rsa.wireless.wlan_channel`*:: +*`rsa.wireless.wlan_channel`*:: + -- This is used to capture the channel names @@ -92282,7 +92688,7 @@ type: long -- -*`microsoft.rsa.wireless.wlan_name`*:: +*`rsa.wireless.wlan_name`*:: + -- This key captures either WLAN number/name @@ -92292,7 +92698,7 @@ type: keyword -- -*`microsoft.rsa.storage.disk_volume`*:: +*`rsa.storage.disk_volume`*:: + -- A unique name assigned to logical units (volumes) within a physical disk @@ -92301,7 +92707,7 @@ type: keyword -- -*`microsoft.rsa.storage.lun`*:: +*`rsa.storage.lun`*:: + -- Logical Unit Number.This key is a very useful concept in Storage. @@ -92310,7 +92716,7 @@ type: keyword -- -*`microsoft.rsa.storage.pwwn`*:: +*`rsa.storage.pwwn`*:: + -- This uniquely identifies a port on a HBA. @@ -92320,7 +92726,7 @@ type: keyword -- -*`microsoft.rsa.physical.org_dst`*:: +*`rsa.physical.org_dst`*:: + -- This is used to capture the destination organization based on the GEOPIP Maxmind database. @@ -92329,7 +92735,7 @@ type: keyword -- -*`microsoft.rsa.physical.org_src`*:: +*`rsa.physical.org_src`*:: + -- This is used to capture the source organization based on the GEOPIP Maxmind database. @@ -92339,7 +92745,7 @@ type: keyword -- -*`microsoft.rsa.healthcare.patient_fname`*:: +*`rsa.healthcare.patient_fname`*:: + -- This key is for First Names only, this is used for Healthcare predominantly to capture Patients information @@ -92348,7 +92754,7 @@ type: keyword -- -*`microsoft.rsa.healthcare.patient_id`*:: +*`rsa.healthcare.patient_id`*:: + -- This key captures the unique ID for a patient @@ -92357,7 +92763,7 @@ type: keyword -- -*`microsoft.rsa.healthcare.patient_lname`*:: +*`rsa.healthcare.patient_lname`*:: + -- This key is for Last Names only, this is used for Healthcare predominantly to capture Patients information @@ -92366,7 +92772,7 @@ type: keyword -- -*`microsoft.rsa.healthcare.patient_mname`*:: +*`rsa.healthcare.patient_mname`*:: + -- This key is for Middle Names only, this is used for Healthcare predominantly to capture Patients information @@ -92376,7 +92782,7 @@ type: keyword -- -*`microsoft.rsa.endpoint.host_state`*:: +*`rsa.endpoint.host_state`*:: + -- This key is used to capture the current state of the machine, such as blacklisted, infected, firewall disabled and so on @@ -92385,7 +92791,7 @@ type: keyword -- -*`microsoft.rsa.endpoint.registry_key`*:: +*`rsa.endpoint.registry_key`*:: + -- This key captures the path to the registry key @@ -92394,7 +92800,7 @@ type: keyword -- -*`microsoft.rsa.endpoint.registry_value`*:: +*`rsa.endpoint.registry_value`*:: + -- This key captures values or decorators used within a registry entry diff --git a/filebeat/docs/modules/f5.asciidoc b/filebeat/docs/modules/f5.asciidoc index e0f69dbffac..8ebfd8f94a7 100644 --- a/filebeat/docs/modules/f5.asciidoc +++ b/filebeat/docs/modules/f5.asciidoc @@ -67,51 +67,6 @@ will be found under `rsa.raw`. The default is false. :fileset_ex!: -[float] -==== `firepass` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "firepass" device revision 0. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9509` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - :modulename!: diff --git a/filebeat/docs/running-on-kubernetes.asciidoc b/filebeat/docs/running-on-kubernetes.asciidoc index 0df3c811a95..40c18b3f8f2 100644 --- a/filebeat/docs/running-on-kubernetes.asciidoc +++ b/filebeat/docs/running-on-kubernetes.asciidoc @@ -4,6 +4,8 @@ You can use {beatname_uc} <> on Kubernetes to retrieve and ship container logs. +TIP: Running {ecloud} on Kubernetes? See {eck-ref}/k8s-beat.html[Run {beats} on ECK]. + ifeval::["{release-state}"=="unreleased"] However, version {version} of {beatname_uc} has not yet been diff --git a/filebeat/input/log/harvester.go b/filebeat/input/log/harvester.go index 60c94dc3cb5..9dc93202951 100644 --- a/filebeat/input/log/harvester.go +++ b/filebeat/input/log/harvester.go @@ -58,7 +58,7 @@ import ( var ( harvesterMetrics = monitoring.Default.NewRegistry("filebeat.harvester") - filesMetrics = harvesterMetrics.NewRegistry("files") + filesMetrics = monitoring.GetNamespace("dataset").GetRegistry() harvesterStarted = monitoring.NewInt(harvesterMetrics, "started") harvesterClosed = monitoring.NewInt(harvesterMetrics, "closed") diff --git a/filebeat/module/apache/access/test/test-vhost.log-expected.json b/filebeat/module/apache/access/test/test-vhost.log-expected.json index d61237c3c8d..b332788ad2b 100644 --- a/filebeat/module/apache/access/test/test-vhost.log-expected.json +++ b/filebeat/module/apache/access/test/test-vhost.log-expected.json @@ -19,7 +19,7 @@ "source.ip": "192.168.33.2", "url.original": "/hello", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", diff --git a/filebeat/module/apache/access/test/test.log-expected.json b/filebeat/module/apache/access/test/test.log-expected.json index 7b15274997a..ebe88847586 100644 --- a/filebeat/module/apache/access/test/test.log-expected.json +++ b/filebeat/module/apache/access/test/test.log-expected.json @@ -39,7 +39,7 @@ "source.ip": "192.168.33.1", "url.original": "/hello", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", diff --git a/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json b/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json index cdf664d927e..e9680e5b7fb 100644 --- a/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json +++ b/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json @@ -45,7 +45,7 @@ "source.ip": "192.168.33.1", "url.original": "/", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -73,7 +73,7 @@ "source.ip": "192.168.33.1", "url.original": "/favicon.ico", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -101,7 +101,7 @@ "source.ip": "192.168.33.1", "url.original": "/", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -129,7 +129,7 @@ "source.ip": "192.168.33.1", "url.original": "/favicon.ico", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -157,7 +157,7 @@ "source.ip": "192.168.33.1", "url.original": "/favicon.ico", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -185,7 +185,7 @@ "source.ip": "192.168.33.1", "url.original": "/test", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -213,7 +213,7 @@ "source.ip": "192.168.33.1", "url.original": "/hello", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -241,7 +241,7 @@ "source.ip": "192.168.33.1", "url.original": "/crap", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", diff --git a/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json b/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json index 448779366ce..c3f4a4932da 100644 --- a/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json +++ b/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json @@ -37,7 +37,7 @@ "source.address": "::1%0", "source.ip": "::1", "url.path": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.0", diff --git a/filebeat/module/iis/access/test/test.log-expected.json b/filebeat/module/iis/access/test/test.log-expected.json index 909bffb0e62..adb56a2eadd 100644 --- a/filebeat/module/iis/access/test/test.log-expected.json +++ b/filebeat/module/iis/access/test/test.log-expected.json @@ -133,7 +133,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.path": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.0", diff --git a/filebeat/module/nginx/access/test/access.log-expected.json b/filebeat/module/nginx/access/test/access.log-expected.json index 38ced3a64ac..92519cc1e81 100644 --- a/filebeat/module/nginx/access/test/access.log-expected.json +++ b/filebeat/module/nginx/access/test/access.log-expected.json @@ -38,7 +38,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -86,7 +86,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -133,7 +133,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/adsasd", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -180,7 +180,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -228,7 +228,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -275,7 +275,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/test", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -322,7 +322,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/test", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -369,7 +369,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/test1", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -407,7 +407,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.original": "/test1", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -445,7 +445,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -483,7 +483,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -521,7 +521,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.original": "/taga", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", diff --git a/filebeat/module/nginx/access/test/test-with-host.log-expected.json b/filebeat/module/nginx/access/test/test-with-host.log-expected.json index 426b08eafd8..a1968695184 100644 --- a/filebeat/module/nginx/access/test/test-with-host.log-expected.json +++ b/filebeat/module/nginx/access/test/test-with-host.log-expected.json @@ -32,7 +32,7 @@ "source.address": "10.0.0.2", "source.ip": "10.0.0.2", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -121,7 +121,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -170,7 +170,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.0", diff --git a/filebeat/module/nginx/access/test/test.log-expected.json b/filebeat/module/nginx/access/test/test.log-expected.json index 47d88c36ead..75caf6cf9f8 100644 --- a/filebeat/module/nginx/access/test/test.log-expected.json +++ b/filebeat/module/nginx/access/test/test.log-expected.json @@ -31,7 +31,7 @@ "source.address": "10.0.0.2", "source.ip": "10.0.0.2", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -118,7 +118,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -165,7 +165,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.0", diff --git a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json index 6a22bb503ca..4bf393a5906 100644 --- a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json +++ b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json @@ -336,7 +336,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/products/42", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.6", @@ -385,7 +385,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.6", @@ -433,7 +433,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/v2", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.6", @@ -482,7 +482,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.6", @@ -530,7 +530,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/products/42", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -579,7 +579,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -627,7 +627,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/products/42", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -675,7 +675,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -724,7 +724,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -772,7 +772,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/v2", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -821,7 +821,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -914,7 +914,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/v2", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -962,7 +962,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1010,7 +1010,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/v2/some", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/filebeat/tests/system/test_modules.py b/filebeat/tests/system/test_modules.py index a894290d37c..81f8ed28985 100644 --- a/filebeat/tests/system/test_modules.py +++ b/filebeat/tests/system/test_modules.py @@ -227,7 +227,7 @@ def clean_keys(obj): "cef.log", "cisco.asa", "cisco.ios", - "f5.firepass", + "cylance.protect", "fortinet.clientendpoint", "haproxy.log", "icinga.startup", @@ -239,6 +239,17 @@ def clean_keys(obj): "redis.log", "system.auth", "system.syslog", + "microsoft.defender_atp", + "crowdstrike.falcon_endpoint", + "crowdstrike.falcon_audit", + "gsuite.admin", + "gsuite.config", + "gsuite.drive", + "gsuite.groups", + "gsuite.ingest", + "gsuite.login", + "gsuite.saml", + "gsuite.user_accounts", } # dataset + log file pairs for which @timestamp is kept as an exception from above remove_timestamp_exception = { @@ -265,6 +276,8 @@ def clean_keys(obj): delete_key(obj, "@timestamp") # Also remove alternate time field from rsa parsers. delete_key(obj, "rsa.time.event_time") + # Remove event.ingested from testing, as it will never be the same. + delete_key(obj, "event.ingested") else: # excluded events need to have their filename saved to the expected.json # so that the exception mechanism can be triggered when the json is @@ -276,14 +289,6 @@ def clean_keys(obj): if "event.end" not in obj: delete_key(obj, "@timestamp") - # Remove event.ingested from testing, as it will never be the same. - if obj["event.dataset"] == "microsoft.defender_atp": - delete_key(obj, "event.ingested") - delete_key(obj, "@timestamp") - - if obj["event.module"] == "gsuite": - delete_key(obj, "event.ingested") - def delete_key(obj, key): if key in obj: diff --git a/heartbeat/Dockerfile b/heartbeat/Dockerfile index 1ea4bda3cc6..df0b505d156 100644 --- a/heartbeat/Dockerfile +++ b/heartbeat/Dockerfile @@ -9,8 +9,6 @@ RUN \ python3-venv \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/heartbeat/docs/running-on-kubernetes.asciidoc b/heartbeat/docs/running-on-kubernetes.asciidoc new file mode 100644 index 00000000000..66a17cbb875 --- /dev/null +++ b/heartbeat/docs/running-on-kubernetes.asciidoc @@ -0,0 +1,74 @@ +[[running-on-kubernetes]] +=== Running {beatname_uc} on Kubernetes + +{beatname_uc} <> can be used on Kubernetes to +check resources uptime. + +ifeval::["{release-state}"=="unreleased"] + +However, version {version} of {beatname_uc} has not yet been +released, so no Docker image is currently available for this version. + +endif::[] + + +[float] +==== Kubernetes deploy manifests + +A single {beatname_uc} can check for uptime of the whole cluster. + +Everything is deployed under `kube-system` namespace, you can change that by +updating the YAML file. + +To get the manifests just run: + +["source", "sh", subs="attributes"] +------------------------------------------------ +curl -L -O https://raw.githubusercontent.com/elastic/beats/{branch}/deploy/kubernetes/{beatname_lc}-kubernetes.yaml +------------------------------------------------ + +[WARNING] +======================================= +If you are using Kubernetes 1.7 or earlier: {beatname_uc} uses a hostPath volume to persist internal data, it's located +under /var/lib/{beatname_lc}-data. The manifest uses folder autocreation (`DirectoryOrCreate`), which was introduced in +Kubernetes 1.8. You will need to remove `type: DirectoryOrCreate` from the manifest and create the host folder yourself. +======================================= + +[float] +==== Settings + +Some parameters are exposed in the manifest to configure logs destination, by +default they will use an existing Elasticsearch deploy if it's present, but you +may want to change that behavior, so just edit the YAML file and modify them: + +["source", "yaml", subs="attributes"] +------------------------------------------------ +- name: ELASTICSEARCH_HOST + value: elasticsearch +- name: ELASTICSEARCH_PORT + value: "9200" +- name: ELASTICSEARCH_USERNAME + value: elastic +- name: ELASTICSEARCH_PASSWORD + value: changeme +------------------------------------------------ + +[float] +==== Deploy + +To deploy {beatname_uc} to Kubernetes just run: + +["source", "sh", subs="attributes"] +------------------------------------------------ +kubectl create -f {beatname_lc}-kubernetes.yaml +------------------------------------------------ + +Then you should be able to check the status by running: + +["source", "sh", subs="attributes"] +------------------------------------------------ +$ kubectl --namespace=kube-system get deployment/{beatname_lc} + +NAME READY UP-TO-DATE AVAILABLE AGE +{beatname_lc} 1/1 1 1 1m +------------------------------------------------ diff --git a/heartbeat/docs/setting-up-running.asciidoc b/heartbeat/docs/setting-up-running.asciidoc index 4acaaa6ffea..9fbf90b7dc1 100644 --- a/heartbeat/docs/setting-up-running.asciidoc +++ b/heartbeat/docs/setting-up-running.asciidoc @@ -28,6 +28,8 @@ This section includes additional information on how to install, set up, and run * <> +* <> + * <> //MAINTAINERS: If you add a new file to this section, make sure you update the bulleted list ^^ too. @@ -42,6 +44,8 @@ include::{libbeat-dir}/repositories.asciidoc[] include::./running-on-docker.asciidoc[] +include::./running-on-kubernetes.asciidoc[] + include::{libbeat-dir}/shared-systemd.asciidoc[] include::{libbeat-dir}/shared/shutdown.asciidoc[] diff --git a/journalbeat/Dockerfile b/journalbeat/Dockerfile index b003f0da5c5..e7600730be3 100644 --- a/journalbeat/Dockerfile +++ b/journalbeat/Dockerfile @@ -11,8 +11,6 @@ RUN \ python3-venv \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/journalbeat/Makefile b/journalbeat/Makefile index 62bf3778d21..85049183d4e 100644 --- a/journalbeat/Makefile +++ b/journalbeat/Makefile @@ -1,6 +1,6 @@ BEAT_NAME=journalbeat BEAT_TITLE=Journalbeat -SYSTEM_TESTS=false +SYSTEM_TESTS=true TEST_ENVIRONMENT=false ES_BEATS?=.. diff --git a/journalbeat/input/input.go b/journalbeat/input/input.go index f8cbf1fbf73..b45b99d1816 100644 --- a/journalbeat/input/input.go +++ b/journalbeat/input/input.go @@ -79,7 +79,7 @@ func New( state := states[cfg.CheckpointID] r, err := reader.NewLocal(cfg, done, state, logger) if err != nil { - return nil, fmt.Errorf("error creating reader for local journal: %v", err) + return nil, fmt.Errorf("error creating reader for local journal: %+v", err) } readers = append(readers, r) } @@ -99,7 +99,7 @@ func New( state := states[cfg.CheckpointID] r, err := reader.New(cfg, done, state, logger) if err != nil { - return nil, fmt.Errorf("error creating reader for journal: %v", err) + return nil, fmt.Errorf("error creating reader for journal: %+v", err) } readers = append(readers, r) } diff --git a/journalbeat/reader/journal.go b/journalbeat/reader/journal.go index fb5b91c5019..6b3136d65c6 100644 --- a/journalbeat/reader/journal.go +++ b/journalbeat/reader/journal.go @@ -76,6 +76,7 @@ func newReader(path string, c Config, done chan struct{}, state checkpoint.Journ instance.AddJournalToMonitor(c.Path, journal) return &Reader{ + r: r, journal: journal, config: c, done: done, diff --git a/journalbeat/tests/system/input/test.journal b/journalbeat/tests/system/input/test.journal index 887d4917905..c42b825e62d 100644 Binary files a/journalbeat/tests/system/input/test.journal and b/journalbeat/tests/system/input/test.journal differ diff --git a/journalbeat/tests/system/input/test.registry b/journalbeat/tests/system/input/test.registry index 5c6680edb42..9b9dee108b3 100644 --- a/journalbeat/tests/system/input/test.registry +++ b/journalbeat/tests/system/input/test.registry @@ -1,6 +1,6 @@ update_time: 2018-09-11T10:06:50.895829905Z journal_entries: - path: /home/n/go/src/github.com/elastic/beats/journalbeat/tests/system/input/test.journal - cursor: s=7d22fd7aa0c7482d88c303f47d5f32dc;i=2fcb;b=902dc834f07d4f41ade064f6b2ef8b4f;m=1bf0ff5c6d;t=55913a25fe765;x=c7e6480eec30822b - realtime_timestamp: 1505315746998117 - monotonic_timestamp: 120007384173 + cursor: s=018329e08e3a45a0ae03694421c4f553;i=2015d;b=fa3c2e3080dc4cd5be5cb5a43e140d51;m=29102136a4;t=5ab0792b1dc62;x=84a1467480b8f1af + realtime_timestamp: 1595423897803874 + monotonic_timestamp: 176364271268 diff --git a/journalbeat/tests/system/test_base.py b/journalbeat/tests/system/test_base.py index c3898dfdbc9..2d7269dd5f4 100644 --- a/journalbeat/tests/system/test_base.py +++ b/journalbeat/tests/system/test_base.py @@ -45,19 +45,14 @@ def test_start_with_journal_directory(self): ) journalbeat_proc = self.start_beat() - required_log_snippets = [ - # journalbeat can be started - "journalbeat is running", - # journalbeat can seek to the position defined in the cursor - "Tailing the journal file", - ] - for snippet in required_log_snippets: - self.wait_until(lambda: self.log_contains(snippet), - name="Line in '{}' Journalbeat log".format(snippet)) + self.wait_until(lambda: self.log_contains("journalbeat is running")) exit_code = journalbeat_proc.kill_and_wait() assert exit_code == 0 + # journalbeat is tailing an inactive journal + assert self.output_is_empty() + @unittest.skipUnless(sys.platform.startswith("linux"), "Journald only on Linux") def test_start_with_selected_journal_file(self): """ @@ -74,17 +69,7 @@ def test_start_with_selected_journal_file(self): ) journalbeat_proc = self.start_beat() - required_log_snippets = [ - # journalbeat can be started - "journalbeat is running", - # journalbeat can seek to the position defined in the cursor - "Reading from the beginning of the journal file", - # message can be read from test journal - "\"message\": \"thinkpad_acpi: unhandled HKEY event 0x60b0\"", - ] - for snippet in required_log_snippets: - self.wait_until(lambda: self.log_contains(snippet), - name="Line in '{}' Journalbeat log".format(snippet)) + self.wait_until(lambda: self.output_has(lines=23)) exit_code = journalbeat_proc.kill_and_wait() assert exit_code == 0 @@ -106,21 +91,14 @@ def test_start_with_selected_journal_file_with_cursor_fallback(self): ) journalbeat_proc = self.start_beat() - required_log_snippets = [ - # journalbeat can be started - "journalbeat is running", - # journalbeat can seek to the position defined in cursor_seek_fallback. - "Seeking method set to cursor, but no state is saved for reader. Starting to read from the end", - # message can be read from test journal - "\"message\": \"thinkpad_acpi: please report the conditions when this event happened to ibm-acpi-devel@lists.sourceforge.net\"", - ] - for snippet in required_log_snippets: - self.wait_until(lambda: self.log_contains(snippet), - name="Line in '{}' Journalbeat log".format(snippet)) + self.wait_until(lambda: self.log_contains("journalbeat is running")) exit_code = journalbeat_proc.kill_and_wait() assert exit_code == 0 + # journalbeat is tailing an inactive journal with no cursor data + assert self.output_is_empty() + @unittest.skipUnless(sys.platform.startswith("linux"), "Journald only on Linux") def test_read_events_with_existing_registry(self): """ @@ -143,19 +121,7 @@ def test_read_events_with_existing_registry(self): ) journalbeat_proc = self.start_beat() - required_log_snippets = [ - # journalbeat can be started - "journalbeat is running", - # journalbeat can seek to the position defined in the cursor - "Seeked to position defined in cursor", - # message can be read from test journal - "please report the conditions when this event happened to", - # only one event is read and published - 'journalbeat successfully published events\t{"event.count": 1}', - ] - for snippet in required_log_snippets: - self.wait_until(lambda: self.log_contains(snippet), - name="Line in '{}' Journalbeat log".format(snippet)) + self.wait_until(lambda: self.output_has(lines=9)) exit_code = journalbeat_proc.kill_and_wait() assert exit_code == 0 @@ -173,27 +139,13 @@ def test_read_events_with_include_matches(self): ], "seek": "head", "include_matches": [ - "syslog.priority=5", + "syslog.priority=6", ] }], ) journalbeat_proc = self.start_beat() - required_log_snippets = [ - # journalbeat can be started - "journalbeat is running", - # journalbeat can seek to the position defined in the cursor - "Added matcher expression", - # message can be read from test journal - "unhandled HKEY event 0x60b0", - "please report the conditions when this event happened to", - "unhandled HKEY event 0x60b1", - # Four events with priority 5 is publised - 'journalbeat successfully published events\t{"event.count": 4}', - ] - for snippet in required_log_snippets: - self.wait_until(lambda: self.log_contains(snippet), - name="Line in '{}' Journalbeat log".format(snippet)) + self.wait_until(lambda: self.output_has(lines=6)) exit_code = journalbeat_proc.kill_and_wait() assert exit_code == 0 diff --git a/libbeat/Dockerfile b/libbeat/Dockerfile index 9b89e87b685..942905e0671 100644 --- a/libbeat/Dockerfile +++ b/libbeat/Dockerfile @@ -10,8 +10,6 @@ RUN \ python3-venv \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/libbeat/autodiscover/providers/kubernetes/pod.go b/libbeat/autodiscover/providers/kubernetes/pod.go index c856f790a6e..39df134b809 100644 --- a/libbeat/autodiscover/providers/kubernetes/pod.go +++ b/libbeat/autodiscover/providers/kubernetes/pod.go @@ -138,7 +138,7 @@ func (p *pod) OnUpdate(obj interface{}) { switch pod.Status.Phase { case kubernetes.PodSucceeded, kubernetes.PodFailed: // If Pod is in a phase where all containers in the have terminated emit a stop event - p.logger.Debugf("Watcher Pod update (terminating): %+v", obj) + p.logger.Debugf("Watcher Pod update (terminated): %+v", obj) time.AfterFunc(p.config.CleanupTimeout, func() { p.emit(pod, "stop") }) return case kubernetes.PodPending: @@ -146,6 +146,22 @@ func (p *pod) OnUpdate(obj interface{}) { return } + // here handle the case when a Pod is in `Terminating` phase. + // In this case the pod is neither `PodSucceeded` nor `PodFailed` and + // hence requires special handling. + if pod.GetObjectMeta().GetDeletionTimestamp() != nil { + p.logger.Debugf("Watcher Pod update (terminating): %+v", obj) + // Pod is terminating, don't reload its configuration and ignore the event + // if some pod is still running, we will receive more events when containers + // terminate. + for _, container := range pod.Status.ContainerStatuses { + if container.State.Running != nil { + return + } + } + time.AfterFunc(p.config.CleanupTimeout, func() { p.emit(pod, "stop") }) + } + p.logger.Debugf("Watcher Pod update: %+v", obj) p.emit(pod, "stop") p.emit(pod, "start") diff --git a/libbeat/dashboards/importer.go b/libbeat/dashboards/importer.go index bf08fcd327f..0c56d073d91 100644 --- a/libbeat/dashboards/importer.go +++ b/libbeat/dashboards/importer.go @@ -305,7 +305,9 @@ func (imp Importer) ImportKibanaDir(dir string) error { // Loads the internal index pattern if imp.fields != nil { - imp.loader.ImportIndex(imp.fields) + if err = imp.loader.ImportIndex(imp.fields); err != nil { + return errw.Wrap(err, "failed to import Kibana index pattern") + } } dir = path.Join(dir, versionPath) diff --git a/libbeat/docs/output-cloud.asciidoc b/libbeat/docs/output-cloud.asciidoc index f7d4039676b..6ad8329ff7d 100644 --- a/libbeat/docs/output-cloud.asciidoc +++ b/libbeat/docs/output-cloud.asciidoc @@ -1,21 +1,21 @@ [[configure-cloud-id]] -=== Configure the output for the {ecloud} +=== Configure the output for {ess} on {ecloud} [subs="attributes"] ++++ -{ecloud} +{ess} ++++ ifdef::apm-server[] NOTE: This page refers to using a separate instance of APM Server with an existing -https://www.elastic.co/cloud/elasticsearch-service[{ess} deployment]. -If you want to use APM on {ecloud}, see the cloud docs: -{cloud}/ec-create-deployment.html[Create your deployment] or +{ess-product}[{ess} deployment]. +If you want to use APM on {ess}, see: +{cloud}/ec-create-deployment.html[Create your deployment] and {cloud}/ec-manage-apm-settings.html[Add APM user settings]. endif::apm-server[] {beatname_uc} comes with two settings that simplify the output configuration -when used together with https://cloud.elastic.co/[{ecloud}]. When defined, +when used together with {ess-product}[{ess}]. When defined, these setting overwrite settings from other parts in the configuration. Example: @@ -37,11 +37,11 @@ These settings can be also specified at the command line, like this: ==== `cloud.id` -The Cloud ID, which can be found in the {ecloud} web console, is used by +The Cloud ID, which can be found in the {ess} web console, is used by {beatname_uc} to resolve the {es} and {kib} URLs. This setting overwrites the `output.elasticsearch.hosts` and `setup.kibana.host` settings. -NOTE: The base64 encoded `cloud.id` found in the {ecloud} web console does not explicitly specify a port. This means that {beatname_uc} will default to using port 443 when using `cloud.id`, not the commonly configured cloud endpoint port 9243. +NOTE: The base64 encoded `cloud.id` found in the {ess} web console does not explicitly specify a port. This means that {beatname_uc} will default to using port 443 when using `cloud.id`, not the commonly configured cloud endpoint port 9243. ==== `cloud.auth` @@ -49,4 +49,3 @@ When specified, the `cloud.auth` overwrites the `output.elasticsearch.username` `output.elasticsearch.password` settings. Because the Kibana settings inherit the username and password from the {es} output, this can also be used to set the `setup.kibana.username` and `setup.kibana.password` options. - diff --git a/libbeat/docs/outputs-list.asciidoc b/libbeat/docs/outputs-list.asciidoc index 6c47991cb02..bd3b2878aa6 100644 --- a/libbeat/docs/outputs-list.asciidoc +++ b/libbeat/docs/outputs-list.asciidoc @@ -3,6 +3,9 @@ //# tag::outputs-list[] +ifndef::no_cloud_id[] +* <> +endif::[] ifndef::no_es_output[] * <> endif::[] @@ -21,13 +24,17 @@ endif::[] ifndef::no_console_output[] * <> endif::[] -ifndef::no_cloud_id[] -* <> -endif::[] //# end::outputs-list[] //# tag::outputs-include[] +ifndef::no_cloud_id[] +ifdef::requires_xpack[] +[role="xpack"] +endif::[] +include::output-cloud.asciidoc[] +endif::[] + ifndef::no_es_output[] ifdef::requires_xpack[] [role="xpack"] @@ -70,13 +77,6 @@ endif::[] include::{libbeat-outputs-dir}/console/docs/console.asciidoc[] endif::[] -ifndef::no_cloud_id[] -ifdef::requires_xpack[] -[role="xpack"] -endif::[] -include::output-cloud.asciidoc[] -endif::[] - ifndef::no_codec[] ifdef::requires_xpack[] [role="xpack"] diff --git a/libbeat/outputs/elasticsearch/docs/elasticsearch.asciidoc b/libbeat/outputs/elasticsearch/docs/elasticsearch.asciidoc index 9bca19a62f3..fbe9a918db3 100644 --- a/libbeat/outputs/elasticsearch/docs/elasticsearch.asciidoc +++ b/libbeat/outputs/elasticsearch/docs/elasticsearch.asciidoc @@ -5,69 +5,54 @@ Elasticsearch ++++ -When you specify Elasticsearch for the output, {beatname_uc} sends the transactions directly to Elasticsearch by using the Elasticsearch HTTP API. +The Elasticsearch output sends events directly to Elasticsearch using the Elasticsearch HTTP API. Example configuration: ["source","yaml",subs="attributes"] ------------------------------------------------------------------------------- - +---- output.elasticsearch: - hosts: ["https://localhost:9200"] - index: "{beat_default_index_prefix}-%{[{beat_version_key}]}-%{+yyyy.MM.dd}" - ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] - ssl.certificate: "/etc/pki/client/cert.pem" - ssl.key: "/etc/pki/client/cert.key" ------------------------------------------------------------------------------- + hosts: ["https://myEShost:9200"] <1> +---- +<1> To enable SSL, add `https` to all URLs defined under __hosts__. -Notes about the previous example and client based PKI authentication: +When sending data to a secured cluster through the `elasticsearch` +output, {beatname_uc} can use any of the following authentication methods: -- The `ssl.certificate` and `ssl.key` settings are ONLY needed if {es} is configured to require client based PKI authentication (with `xpack.security.http.ssl.client_authentication: required` or `xpack.security.http.ssl.client_authentication: optional`). -- The `ssl.certificate_authorities` setting needs to include the CA used to sign the remote server certificate, not the client cert. -- If client PKI is used, the remote server ({es}) should include the CA used for signing the client cert in the `xpack.security.http.ssl.certificate_authorities: []` list. +* Basic authentication credentials (username and password). +* Token-based (API key) authentication. +* Public Key Infrastructure (PKI) certificates. -To enable SSL, just add `https` to all URLs defined under __hosts__. +*Basic authentication:* ["source","yaml",subs="attributes,callouts"] ------------------------------------------------------------------------------- - +---- output.elasticsearch: - hosts: ["https://localhost:9200"] - username: "{beatname_lc}_internal" + hosts: ["https://myEShost:9200"] + username: "{beat_default_index_prefix}_writer" password: "{pwd}" ------------------------------------------------------------------------------- +---- -To use an API key to connect to {es}, use `api_key`. The value must be the ID of -the API key and the API key joined by a colon. +*API key authentication:* ["source","yaml",subs="attributes,callouts"] ------------------------------------------------------------------------------- +---- output.elasticsearch: - hosts: ["https://localhost:9200"] - api_key: "VuaCfGcBCdbkQm-e5aOx:ui2lp2axTNmsyakw9tvNnw" ------------------------------------------------------------------------------- + hosts: ["https://myEShost:9200"] + api_key: "KnR6yE41RrSowb0kQ0HWoA" +---- -If the Elasticsearch nodes are defined by `IP:PORT`, then add `protocol: https` to the yaml file. +*PKI certificate authentication:* ["source","yaml",subs="attributes,callouts"] ------------------------------------------------------------------------------- +---- output.elasticsearch: - hosts: ["localhost"] - protocol: "https" - username: "{beatname_lc}_internal" - password: "{pwd}" ------------------------------------------------------------------------------- - + hosts: ["https://myEShost:9200"] + ssl.certificate: "/etc/pki/client/cert.pem" + ssl.key: "/etc/pki/client/cert.key" +---- -For more information about securing {beatname_uc}, see -<>. - -ifndef::no_ilm[] -If you are indexing large amounts of time-series data, you might also want to -configure {beatname_uc} to use index lifecycle management. For more information -about configuring and using index lifecycle management with {beatname_uc}, see -<>. -endif::no_ilm[] +See <> for details on each authentication method. ==== Compatibility @@ -82,9 +67,9 @@ You can specify the following options in the `elasticsearch` section of the +{be ===== `enabled` The enabled config is a boolean setting to enable or disable the output. If set -to false, the output is disabled. +to `false`, the output is disabled. -The default value is true. +The default value is `true`. [[hosts-option]] @@ -102,7 +87,7 @@ NOTE: When a node is defined as an `IP:PORT`, the _scheme_ and _path_ are taken [source,yaml] ------------------------------------------------------------------------------ output.elasticsearch: - hosts: ["10.45.3.2:9220", "10.45.3.1:9230"] + hosts: ["10.45.3.2:9220", "10.45.3.1:9230"] <1> protocol: https path: /elasticsearch ------------------------------------------------------------------------------ @@ -112,12 +97,12 @@ In the previous example, the Elasticsearch nodes are available at `https://10.45 ===== `compression_level` -The gzip compression level. Setting this value to 0 disables compression. -The compression level must be in the range of 1 (best speed) to 9 (best compression). +The gzip compression level. Setting this value to `0` disables compression. +The compression level must be in the range of `1` (best speed) to `9` (best compression). Increasing the compression level will reduce the network usage but will increase the cpu usage. -The default value is 0. +The default value is `0`. ===== `escape_html` @@ -132,18 +117,22 @@ The number of workers per configured host publishing events to Elasticsearch. Th is best used with load balancing mode enabled. Example: If you have 2 hosts and 3 workers, in total 6 workers are started (3 for each host). -The default value is 1. +The default value is `1`. ===== `api_key` -Instead of using usernames and passwords, you can use API keys to secure communication -with {es}. The value must be the ID of the API key and the API key joined by a colon. -For more information, see <>. +Instead of using a username and password, you can use API keys to secure communication +with {es}. The value must be the ID of the API key and the API key joined by a colon: `id:api_key`. + +See <> for more information. ===== `username` The basic authentication username for connecting to Elasticsearch. +This user needs the privileges required to publish events to {es}. +To create a user like this, see <>. + ===== `password` The basic authentication password for connecting to Elasticsearch. @@ -178,7 +167,7 @@ output.elasticsearch.headers: X-My-Header: Header contents ------------------------------------------------------------------------------ -It is generally possible to specify multiple header values for the same header +It is possible to specify multiple header values for the same header name by separating them with a comma. ===== `proxy_url` @@ -193,29 +182,13 @@ for more information about the environment variables. [[index-option-es]] ===== `index` +// Begin exclude for APM Server docs ifndef::apm-server[] The index name to write events to when you're using daily indices. The default is -+"{beatname_lc}-%{[{beat_version_key}]}-%{+yyyy.MM.dd}"+ (for example, -+"{beatname_lc}-{version}-{localdate}"+). If you change this setting, you also ++"{beatname_lc}-%{[{beat_version_key}]}-%{+yyyy.MM.dd}"+, for example, ++"{beatname_lc}-{version}-{localdate}"+. If you change this setting, you also need to configure the `setup.template.name` and `setup.template.pattern` options (see <>). -endif::apm-server[] - -ifdef::apm-server[] -The index name to write events to. The default is -+"apm-%{[{beat_version_key}]}-{type}-%{+yyyy.MM.dd}"+ (for example, -+"apm-{version}-transaction-{localdate}"+). See -<> for more information on -default index configuration. - -IMPORTANT: If you change this setting, -you need to configure the `setup.template.name` and `setup.template.pattern` options -(see <>). You also must set the default index configuration -in the `apm-server.yml` file. - -NOTE: +{beat_version_key}+ is a field managed by Beats that is added to every document. -It holds the current version of APM Server. -endif::apm-server[] ifndef::no_dashboards[] If you are using the pre-built Kibana @@ -223,11 +196,12 @@ dashboards, you also need to set the `setup.dashboards.index` option (see <>). endif::no_dashboards[] -ifndef::apm-server[] ifndef::no_ilm[] -The `index` setting is ignored when index lifecycle management is enabled. If -you’re sending events to a cluster that supports index lifecycle management, see -<> to learn how to change the index name. +When <> is enabled, the default `index` is ++"{beatname_lc}-%{[{beat_version_key}]}-%{+yyyy.MM.dd}-%{index_num}"+, for example, ++"{beatname_lc}-{version}-{localdate}-000001"+. Custom `index` settings are ignored +when ILM is enabled. If you’re sending events to a cluster that supports index +lifecycle management, see <> to learn how to change the index name. endif::no_ilm[] You can set the index dynamically by using a format string to access any event @@ -249,11 +223,23 @@ index named +normal-{version}-{localdate}+, and all events with `log_type: critical` are sent to an index named +critical-{version}-{localdate}+. endif::apm-server[] +// End exclude for APM Server docs +// Start include for APM Server docs ifdef::apm-server[] +The index name to write events to when you're using daily indices. The default is ++"apm-%{[{beat_version_key}]}-{type}-%{+yyyy.MM.dd}"+ (for example, ++"apm-{version}-transaction-{localdate}"+). If you change this setting, +you need to configure the `setup.template.name` and `setup.template.pattern` options +(see <>). + +When <> is enabled, the default `index` is ++"apm-%{[{beat_version_key}]}-{type}-%{index_num}"+ (for example, ++"apm-{version}-transaction-000001"+). **Defining a custom `index` here will disable <>**. + You can set the index dynamically by using a format string to access any event -field. For example, this configuration uses the field, `processor.event`, -to set the index: +field. For example, this configuration uses the field, `processor.event` to separate +events into different indices: ["source","yaml",subs="attributes"] ------------------------------------------------------------------------------ @@ -261,14 +247,13 @@ output.elasticsearch: hosts: ["http://localhost:9200"] index: "apm-%{[observer.version]}-%{[processor.event]}-%{+yyyy.MM.dd}\" <1> ------------------------------------------------------------------------------ - -<1> `observer` refers to {beatname_uc}. We recommend including -+{beat_version_key}+ in the name to avoid mapping issues when you upgrade +<1> +{beat_version_key}+ is a field managed by Beats that is added to every document; +It holds the current version of APM Server. We recommend including ++{beat_version_key}+ in the index name to avoid mapping issues when you upgrade {beatname_uc}. -With this configuration, -all events are separated by their `processor.event` into different indices. endif::apm-server[] +// End include for APM Server docs TIP: To learn how to add custom fields to events, see the <> option. @@ -276,7 +261,6 @@ TIP: To learn how to add custom fields to events, see the See the <> setting for other ways to set the index dynamically. - [[indices-option-es]] ===== `indices` @@ -286,6 +270,10 @@ matching rule in the array. Rules can contain conditionals, format string-based fields, and name mappings. If the `indices` setting is missing or no rule matches, the <> setting is used. +ifndef::no_ilm[] +Similar to `index`, defining custom `indices` will disable <>. +endif::no_ilm[] + Rule settings: *`index`*:: The index format string to use. If this string contains field @@ -359,23 +347,23 @@ output.elasticsearch: - index: "apm-%{[observer.version]}-sourcemap" when.contains: processor.event: "sourcemap" - + - index: "apm-%{[observer.version]}-error-%{+yyyy.MM.dd}" when.contains: processor.event: "error" - + - index: "apm-%{[observer.version]}-transaction-%{+yyyy.MM.dd}" when.contains: processor.event: "transaction" - + - index: "apm-%{[observer.version]}-span-%{+yyyy.MM.dd}" when.contains: processor.event: "span" - + - index: "apm-%{[observer.version]}-metric-%{+yyyy.MM.dd}" when.contains: processor.event: "metric" - + - index: "apm-%{[observer.version]}-onboarding-%{+yyyy.MM.dd}" when.contains: processor.event: "onboarding" @@ -385,7 +373,7 @@ NOTE: `observer` refers to {beatname_uc}. We recommend including +{beat_version_key}+ in the name to avoid mapping issues when you upgrade {beatname_uc}. -This is the default configuration for {beatname_uc} and results in indices +This is the default configuration for {beatname_uc} when ILM is disabled, and results in indices named in the following format: +"apm-%{[{beat_version_key}]}-{type}-%{+yyyy.MM.dd}"+ For example: +"apm-{version}-transaction-{localdate}"+. @@ -452,7 +440,6 @@ output.elasticsearch: pipeline: "%{[fields.log_type]}_pipeline" ------------------------------------------------------------------------------ - With this configuration, all events with `log_type: normal` are sent to a pipeline named `normal_pipeline`, and all events with `log_type: critical` are sent to a pipeline named `critical_pipeline`. @@ -470,13 +457,12 @@ output.elasticsearch: pipeline: "%{[processor.event]}_pipeline" ------------------------------------------------------------------------------ - With this configuration, all events with `processor.event: transaction` are sent to a pipeline named `transaction_pipeline`. Similarly, all events with `processor.event: error` are sent to a pipeline named `error_pipeline`. -The default pipeline is `apm`. It adds user agent and geo ip information to events. -To disable this, or any other pipeline, set `output.elasticsearch.pipeline: _none`. +The default pipeline is `apm`. To disable this, or any other pipeline, set +`output.elasticsearch.pipeline: _none`. endif::apm-server[] TIP: To learn how to add custom fields to events, see the @@ -565,23 +551,23 @@ output.elasticsearch: - pipeline: "sourcemap_pipeline" when.contains: processor.event: "sourcemap" - + - pipeline: "error_pipeline" when.contains: processor.event: "error" - + - pipeline: "transaction_pipeline" when.contains: processor.event: "transaction" - + - pipeline: "span_pipeline" when.contains: processor.event: "span" - + - pipeline: "metric_pipeline" when.contains: processor.event: "metric" - + - pipeline: "onboarding_pipeline" when.contains: processor.event: "onboarding" @@ -658,13 +644,13 @@ The number of seconds to wait before trying to reconnect to Elasticsearch after a network error. After waiting `backoff.init` seconds, {beatname_uc} tries to reconnect. If the attempt fails, the backoff timer is increased exponentially up to `backoff.max`. After a successful connection, the backoff timer is reset. The -default is 1s. +default is `1s`. ===== `backoff.max` The maximum number of seconds to wait before attempting to connect to -Elasticsearch after a network error. The default is 60s. +Elasticsearch after a network error. The default is `60s`. ===== `timeout` @@ -676,7 +662,8 @@ Configuration options for SSL parameters like the certificate authority to use for HTTPS-based connections. If the `ssl` section is missing, the host CAs are used for HTTPS connections to Elasticsearch. -See <> for more information. +See the <> guide +or <> for more information. ===== `kerberos` diff --git a/libbeat/publisher/pipeline/client.go b/libbeat/publisher/pipeline/client.go index 07b40f276fc..2ce792ed887 100644 --- a/libbeat/publisher/pipeline/client.go +++ b/libbeat/publisher/pipeline/client.go @@ -271,7 +271,7 @@ func (w *clientCloseWaiter) signalClose() { return } - w.closing.Store(false) + w.closing.Store(true) if w.events.Load() == 0 { w.finishClose() return diff --git a/libbeat/publisher/pipeline/client_test.go b/libbeat/publisher/pipeline/client_test.go index 88c3a67eb81..6c4c3006845 100644 --- a/libbeat/publisher/pipeline/client_test.go +++ b/libbeat/publisher/pipeline/client_test.go @@ -21,11 +21,14 @@ import ( "context" "sync" "testing" + "time" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/libbeat/logp" "github.com/elastic/beats/v7/libbeat/outputs" + "github.com/elastic/beats/v7/libbeat/publisher" "github.com/elastic/beats/v7/libbeat/publisher/queue" + "github.com/elastic/beats/v7/libbeat/publisher/queue/memqueue" "github.com/elastic/beats/v7/libbeat/tests/resources" ) @@ -113,3 +116,92 @@ func TestClient(t *testing.T) { } }) } + +func TestClientWaitClose(t *testing.T) { + routinesChecker := resources.NewGoroutinesChecker() + defer routinesChecker.Check(t) + + makePipeline := func(settings Settings, qu queue.Queue) *Pipeline { + p, err := New(beat.Info{}, + Monitors{}, + func(queue.ACKListener) (queue.Queue, error) { return qu, nil }, + outputs.Group{}, + settings, + ) + if err != nil { + panic(err) + } + + return p + } + if testing.Verbose() { + logp.TestingSetup() + } + + q := memqueue.NewQueue(logp.L(), memqueue.Settings{Events: 1}) + pipeline := makePipeline(Settings{}, q) + defer pipeline.Close() + + t.Run("WaitClose blocks", func(t *testing.T) { + client, err := pipeline.ConnectWith(beat.ClientConfig{ + WaitClose: 500 * time.Millisecond, + }) + if err != nil { + t.Fatal(err) + } + defer client.Close() + + // Send an event which never gets acknowledged. + client.Publish(beat.Event{}) + + closed := make(chan struct{}) + go func() { + defer close(closed) + client.Close() + }() + + select { + case <-closed: + t.Fatal("expected Close to wait for event acknowledgement") + case <-time.After(100 * time.Millisecond): + } + + select { + case <-closed: + case <-time.After(10 * time.Second): + t.Fatal("expected Close to stop waiting after WaitClose elapses") + } + }) + + t.Run("ACKing events unblocks WaitClose", func(t *testing.T) { + client, err := pipeline.ConnectWith(beat.ClientConfig{ + WaitClose: time.Minute, + }) + if err != nil { + t.Fatal(err) + } + defer client.Close() + + // Send an event which gets acknowledged immediately. + client.Publish(beat.Event{}) + output := newMockClient(func(batch publisher.Batch) error { + batch.ACK() + return nil + }) + defer output.Close() + pipeline.output.Set(outputs.Group{Clients: []outputs.Client{output}}) + defer pipeline.output.Set(outputs.Group{}) + + closed := make(chan struct{}) + go func() { + defer close(closed) + client.Close() + }() + + select { + case <-closed: + case <-time.After(10 * time.Second): + t.Fatal("expected Close to stop waiting after event acknowledgement") + } + }) +} diff --git a/libbeat/statestore/backend/memlog/util.go b/libbeat/statestore/backend/memlog/util.go index 2027c87adca..e2c5d4e6f68 100644 --- a/libbeat/statestore/backend/memlog/util.go +++ b/libbeat/statestore/backend/memlog/util.go @@ -55,7 +55,7 @@ func (e *ensureWriter) Write(p []byte) (int, error) { for len(p) > 0 { n, err := e.w.Write(p) N, p = N+n, p[n:] - if isRetryErr(err) { + if err != nil && !isRetryErr(err) { return N, err } } diff --git a/libbeat/statestore/backend/memlog/util_test.go b/libbeat/statestore/backend/memlog/util_test.go new file mode 100644 index 00000000000..fca2a2bbaf6 --- /dev/null +++ b/libbeat/statestore/backend/memlog/util_test.go @@ -0,0 +1,81 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +package memlog + +import ( + "syscall" + "testing" +) + +// A mock Writer implementation that always returns a configurable +// error on the first write call, to test error handling in ensureWriter. +type mockErrorWriter struct { + errorType error + reportedError bool +} + +func (mew *mockErrorWriter) Write(data []byte) (n int, err error) { + if !mew.reportedError { + mew.reportedError = true + return 0, mew.errorType + } + return len(data), nil +} + +func TestEnsureWriter_RetriableError(t *testing.T) { + // EAGAIN is retriable, ensureWriter.Write should succeed. + errorWriter := &mockErrorWriter{errorType: syscall.EAGAIN} + bytes := []byte{1, 2, 3} + writer := &ensureWriter{errorWriter} + written, err := writer.Write(bytes) + if err != nil { + t.Fatalf("ensureWriter shouldn't propagate retriable errors") + } + if written != len(bytes) { + t.Fatalf("Expected %d bytes written, got %d", len(bytes), written) + } +} + +func TestEnsureWriter_NonRetriableError(t *testing.T) { + // EINVAL is not retriable, ensureWriter.Write should return an error. + errorWriter := &mockErrorWriter{errorType: syscall.EINVAL} + bytes := []byte{1, 2, 3} + writer := &ensureWriter{errorWriter} + written, err := writer.Write(bytes) + if err != syscall.EINVAL { + t.Fatalf("ensureWriter should propagate nonretriable errors") + } + if written != 0 { + t.Fatalf("Expected 0 bytes written, got %d", written) + } +} + +func TestEnsureWriter_NoError(t *testing.T) { + // This tests the case where the underlying writer returns with no error, + // but without writing the full buffer. + var bytes []byte = []byte{1, 2, 3} + errorWriter := &mockErrorWriter{errorType: nil} + writer := &ensureWriter{errorWriter} + written, err := writer.Write(bytes) + if err != nil { + t.Fatalf("ensureWriter should only error if the underlying writer does") + } + if written != len(bytes) { + t.Fatalf("Expected %d bytes written, got %d", len(bytes), written) + } +} diff --git a/libbeat/template/template.go b/libbeat/template/template.go index b11599eb205..dac3a920196 100644 --- a/libbeat/template/template.go +++ b/libbeat/template/template.go @@ -32,9 +32,10 @@ import ( var ( // Defaults used in the template - defaultDateDetection = false - defaultTotalFieldsLimit = 10000 - defaultNumberOfRoutingShards = 30 + defaultDateDetection = false + defaultTotalFieldsLimit = 10000 + defaultNumberOfRoutingShards = 30 + defaultMaxDocvalueFieldsSearch = 200 // Array to store dynamicTemplate parts in dynamicTemplates []common.MapStr @@ -325,6 +326,10 @@ func buildIdxSettings(ver common.Version, userSettings common.MapStr) common.Map indexSettings.Put("query.default_field", fields) } + if ver.Major >= 6 { + indexSettings.Put("max_docvalue_fields_search", defaultMaxDocvalueFieldsSearch) + } + indexSettings.DeepUpdate(userSettings) return indexSettings } diff --git a/libbeat/template/template_test.go b/libbeat/template/template_test.go index 7e6a688db5d..52080274dd6 100644 --- a/libbeat/template/template_test.go +++ b/libbeat/template/template_test.go @@ -113,6 +113,7 @@ func TestTemplate(t *testing.T) { template.Assert("index_patterns", []string{"testbeat-" + currentVersion + "-*"}) template.Assert("order", 1) template.Assert("mappings.doc._meta", common.MapStr{"beat": "testbeat", "version": currentVersion}) + template.Assert("settings.index.max_docvalue_fields_search", 200) }) t.Run("for ES 7.x", func(t *testing.T) { @@ -120,6 +121,7 @@ func TestTemplate(t *testing.T) { template.Assert("index_patterns", []string{"testbeat-" + currentVersion + "-*"}) template.Assert("order", 1) template.Assert("mappings._meta", common.MapStr{"beat": "testbeat", "version": currentVersion}) + template.Assert("settings.index.max_docvalue_fields_search", 200) }) t.Run("for ES 8.x", func(t *testing.T) { @@ -127,6 +129,7 @@ func TestTemplate(t *testing.T) { template.Assert("index_patterns", []string{"testbeat-" + currentVersion + "-*"}) template.Assert("order", 1) template.Assert("mappings._meta", common.MapStr{"beat": "testbeat", "version": currentVersion}) + template.Assert("settings.index.max_docvalue_fields_search", 200) }) } diff --git a/libbeat/tests/system/beat/beat.py b/libbeat/tests/system/beat/beat.py index bf77ae98230..1c6a99ba73f 100644 --- a/libbeat/tests/system/beat/beat.py +++ b/libbeat/tests/system/beat/beat.py @@ -488,6 +488,21 @@ def output_has(self, lines, output_file=None): except IOError: return False + def output_is_empty(self, output_file=None): + """ + Returns true if the output is empty. + """ + + # Init defaults + if output_file is None: + output_file = "output/" + self.beat_name + + try: + with open(os.path.join(self.working_dir, output_file, ), "r", encoding="utf_8") as f: + return len([1 for line in f]) == 0 + except IOError: + return True + def output_has_message(self, message, output_file=None): """ Returns true if the output has the given message field. diff --git a/libbeat/tests/system/requirements.txt b/libbeat/tests/system/requirements.txt index d2aa5c3889b..7c1ce599457 100644 --- a/libbeat/tests/system/requirements.txt +++ b/libbeat/tests/system/requirements.txt @@ -14,7 +14,7 @@ idna==2.6 ipaddress==1.0.19 Jinja2==2.10.1 jsonschema==2.6.0 -MarkupSafe==1.0 +MarkupSafe==1.1.1 nose==1.3.7 nose-timer==0.7.1 pycodestyle==2.4.0 diff --git a/metricbeat/Dockerfile b/metricbeat/Dockerfile index e3bd6006dc5..e79d6014459 100644 --- a/metricbeat/Dockerfile +++ b/metricbeat/Dockerfile @@ -11,8 +11,6 @@ RUN \ unzip \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/metricbeat/docs/modules/activemq/broker.asciidoc b/metricbeat/docs/modules/activemq/broker.asciidoc index 98002403c88..91aa38d4961 100644 --- a/metricbeat/docs/modules/activemq/broker.asciidoc +++ b/metricbeat/docs/modules/activemq/broker.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-activemq-broker]] +[role="xpack"] === ActiveMQ broker metricset include::../../../../x-pack/metricbeat/module/activemq/broker/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/activemq/queue.asciidoc b/metricbeat/docs/modules/activemq/queue.asciidoc index dde22c0fe02..321e653c3f8 100644 --- a/metricbeat/docs/modules/activemq/queue.asciidoc +++ b/metricbeat/docs/modules/activemq/queue.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-activemq-queue]] +[role="xpack"] === ActiveMQ queue metricset include::../../../../x-pack/metricbeat/module/activemq/queue/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/activemq/topic.asciidoc b/metricbeat/docs/modules/activemq/topic.asciidoc index 416726f5768..a7f28177f01 100644 --- a/metricbeat/docs/modules/activemq/topic.asciidoc +++ b/metricbeat/docs/modules/activemq/topic.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-activemq-topic]] +[role="xpack"] === ActiveMQ topic metricset include::../../../../x-pack/metricbeat/module/activemq/topic/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/appsearch/stats.asciidoc b/metricbeat/docs/modules/appsearch/stats.asciidoc index e9bcccbed76..d2cbb6a5671 100644 --- a/metricbeat/docs/modules/appsearch/stats.asciidoc +++ b/metricbeat/docs/modules/appsearch/stats.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-appsearch-stats]] +[role="xpack"] === App Search stats metricset beta[] diff --git a/metricbeat/docs/modules/aws.asciidoc b/metricbeat/docs/modules/aws.asciidoc index add39a7cbbb..42d24c65ccd 100644 --- a/metricbeat/docs/modules/aws.asciidoc +++ b/metricbeat/docs/modules/aws.asciidoc @@ -10,10 +10,12 @@ This file is generated! See scripts/mage/docs_collector.go This module periodically fetches monitoring metrics from AWS CloudWatch using https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricData.html[GetMetricData API] for AWS services. -Note: extra AWS charges on GetMetricData API requests will be generated by this module. All metrics are enabled by default. +IMPORTANT: Extra AWS charges on CloudWatch API requests will be generated by this +module. Please see <> for more details. + [float] == Module-specific configuration notes @@ -196,6 +198,7 @@ real-time metrics for users to better understand the performance of their web applications and services. [float] +[[aws-api-requests]] == AWS API requests count per metricset This session is to document what are the AWS API called made by each metricset in `aws` module. This will be useful for users to estimate costs for using `aws` diff --git a/metricbeat/docs/modules/aws/billing.asciidoc b/metricbeat/docs/modules/aws/billing.asciidoc index bb2ac58819b..357ad2f564b 100644 --- a/metricbeat/docs/modules/aws/billing.asciidoc +++ b/metricbeat/docs/modules/aws/billing.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-billing]] +[role="xpack"] === AWS billing metricset beta[] diff --git a/metricbeat/docs/modules/aws/cloudwatch.asciidoc b/metricbeat/docs/modules/aws/cloudwatch.asciidoc index f0673a0213f..23688481521 100644 --- a/metricbeat/docs/modules/aws/cloudwatch.asciidoc +++ b/metricbeat/docs/modules/aws/cloudwatch.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-cloudwatch]] +[role="xpack"] === AWS cloudwatch metricset include::../../../../x-pack/metricbeat/module/aws/cloudwatch/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/dynamodb.asciidoc b/metricbeat/docs/modules/aws/dynamodb.asciidoc index 3f5a642e919..103c7f23025 100644 --- a/metricbeat/docs/modules/aws/dynamodb.asciidoc +++ b/metricbeat/docs/modules/aws/dynamodb.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-dynamodb]] +[role="xpack"] === AWS dynamodb metricset beta[] diff --git a/metricbeat/docs/modules/aws/ebs.asciidoc b/metricbeat/docs/modules/aws/ebs.asciidoc index 3c52e61924e..970ff4d6604 100644 --- a/metricbeat/docs/modules/aws/ebs.asciidoc +++ b/metricbeat/docs/modules/aws/ebs.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-ebs]] +[role="xpack"] === AWS ebs metricset include::../../../../x-pack/metricbeat/module/aws/ebs/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/ec2.asciidoc b/metricbeat/docs/modules/aws/ec2.asciidoc index 151c97ca0b7..8c71f9dbea5 100644 --- a/metricbeat/docs/modules/aws/ec2.asciidoc +++ b/metricbeat/docs/modules/aws/ec2.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-ec2]] +[role="xpack"] === AWS ec2 metricset include::../../../../x-pack/metricbeat/module/aws/ec2/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/elb.asciidoc b/metricbeat/docs/modules/aws/elb.asciidoc index 65afc9458a4..1391dc54428 100644 --- a/metricbeat/docs/modules/aws/elb.asciidoc +++ b/metricbeat/docs/modules/aws/elb.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-elb]] +[role="xpack"] === AWS elb metricset include::../../../../x-pack/metricbeat/module/aws/elb/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/lambda.asciidoc b/metricbeat/docs/modules/aws/lambda.asciidoc index dd605738360..5e31c8fdc56 100644 --- a/metricbeat/docs/modules/aws/lambda.asciidoc +++ b/metricbeat/docs/modules/aws/lambda.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-lambda]] +[role="xpack"] === AWS lambda metricset beta[] diff --git a/metricbeat/docs/modules/aws/natgateway.asciidoc b/metricbeat/docs/modules/aws/natgateway.asciidoc index e685ee3d62d..29b8d0f9013 100644 --- a/metricbeat/docs/modules/aws/natgateway.asciidoc +++ b/metricbeat/docs/modules/aws/natgateway.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-natgateway]] +[role="xpack"] === AWS natgateway metricset beta[] diff --git a/metricbeat/docs/modules/aws/rds.asciidoc b/metricbeat/docs/modules/aws/rds.asciidoc index 66ec3c6e130..41aa085518f 100644 --- a/metricbeat/docs/modules/aws/rds.asciidoc +++ b/metricbeat/docs/modules/aws/rds.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-rds]] +[role="xpack"] === AWS rds metricset include::../../../../x-pack/metricbeat/module/aws/rds/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/s3_daily_storage.asciidoc b/metricbeat/docs/modules/aws/s3_daily_storage.asciidoc index 39acd46fde5..251fe923231 100644 --- a/metricbeat/docs/modules/aws/s3_daily_storage.asciidoc +++ b/metricbeat/docs/modules/aws/s3_daily_storage.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-s3_daily_storage]] +[role="xpack"] === AWS s3_daily_storage metricset include::../../../../x-pack/metricbeat/module/aws/s3_daily_storage/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/s3_request.asciidoc b/metricbeat/docs/modules/aws/s3_request.asciidoc index da4eb8a9cbe..53bef698894 100644 --- a/metricbeat/docs/modules/aws/s3_request.asciidoc +++ b/metricbeat/docs/modules/aws/s3_request.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-s3_request]] +[role="xpack"] === AWS s3_request metricset include::../../../../x-pack/metricbeat/module/aws/s3_request/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/sns.asciidoc b/metricbeat/docs/modules/aws/sns.asciidoc index 5d8ad8bfed4..82c3a7946f5 100644 --- a/metricbeat/docs/modules/aws/sns.asciidoc +++ b/metricbeat/docs/modules/aws/sns.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-sns]] +[role="xpack"] === AWS sns metricset beta[] diff --git a/metricbeat/docs/modules/aws/sqs.asciidoc b/metricbeat/docs/modules/aws/sqs.asciidoc index d3e67466634..7c6129cbacb 100644 --- a/metricbeat/docs/modules/aws/sqs.asciidoc +++ b/metricbeat/docs/modules/aws/sqs.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-sqs]] +[role="xpack"] === AWS sqs metricset include::../../../../x-pack/metricbeat/module/aws/sqs/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/aws/transitgateway.asciidoc b/metricbeat/docs/modules/aws/transitgateway.asciidoc index bd9cb86f668..53d897aeacd 100644 --- a/metricbeat/docs/modules/aws/transitgateway.asciidoc +++ b/metricbeat/docs/modules/aws/transitgateway.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-transitgateway]] +[role="xpack"] === AWS transitgateway metricset beta[] diff --git a/metricbeat/docs/modules/aws/usage.asciidoc b/metricbeat/docs/modules/aws/usage.asciidoc index a8609480ad8..2a3f3f64a75 100644 --- a/metricbeat/docs/modules/aws/usage.asciidoc +++ b/metricbeat/docs/modules/aws/usage.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-usage]] +[role="xpack"] === AWS usage metricset beta[] diff --git a/metricbeat/docs/modules/aws/vpn.asciidoc b/metricbeat/docs/modules/aws/vpn.asciidoc index 8edc574ed51..21ff29237db 100644 --- a/metricbeat/docs/modules/aws/vpn.asciidoc +++ b/metricbeat/docs/modules/aws/vpn.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-aws-vpn]] +[role="xpack"] === AWS vpn metricset beta[] diff --git a/metricbeat/docs/modules/azure.asciidoc b/metricbeat/docs/modules/azure.asciidoc index 93d644bd999..248350e3fb1 100644 --- a/metricbeat/docs/modules/azure.asciidoc +++ b/metricbeat/docs/modules/azure.asciidoc @@ -18,6 +18,9 @@ Additional azure API calls will be executed in order to retrieve information reg The azure module mericsets are `monitor`, `compute_vm` and `compute_vm_scaleset` +IMPORTANT: Extra Azure charges on metric queries may be generated by this module. +Please see <> for more details. + [float] === Dashboards @@ -119,6 +122,7 @@ so the `period` for `billing` metricset should be `24h` or multiples of `24h`. This metricset will collect application insights metrics, the `period` (interval) for the `app-insights` metricset is set by default at `300s`. [float] +[[azure-api-cost]] == Additional notes about metrics and costs Costs: Metric queries are charged based on the number of standard API calls. More information on pricing here https://azure.microsoft.com/id-id/pricing/details/monitor/. diff --git a/metricbeat/docs/modules/azure/app_insights.asciidoc b/metricbeat/docs/modules/azure/app_insights.asciidoc index 2cc018c73f5..4bd8c2dd7c9 100644 --- a/metricbeat/docs/modules/azure/app_insights.asciidoc +++ b/metricbeat/docs/modules/azure/app_insights.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-app_insights]] +[role="xpack"] === Azure app_insights metricset beta[] diff --git a/metricbeat/docs/modules/azure/billing.asciidoc b/metricbeat/docs/modules/azure/billing.asciidoc index 81b3b2c028e..6cb341be97b 100644 --- a/metricbeat/docs/modules/azure/billing.asciidoc +++ b/metricbeat/docs/modules/azure/billing.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-billing]] +[role="xpack"] === Azure billing metricset beta[] diff --git a/metricbeat/docs/modules/azure/compute_vm.asciidoc b/metricbeat/docs/modules/azure/compute_vm.asciidoc index c28fb01498c..fdac6f7d06a 100644 --- a/metricbeat/docs/modules/azure/compute_vm.asciidoc +++ b/metricbeat/docs/modules/azure/compute_vm.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-compute_vm]] +[role="xpack"] === Azure compute_vm metricset include::../../../../x-pack/metricbeat/module/azure/compute_vm/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/compute_vm_scaleset.asciidoc b/metricbeat/docs/modules/azure/compute_vm_scaleset.asciidoc index 06191a8f44e..b291342cbef 100644 --- a/metricbeat/docs/modules/azure/compute_vm_scaleset.asciidoc +++ b/metricbeat/docs/modules/azure/compute_vm_scaleset.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-compute_vm_scaleset]] +[role="xpack"] === Azure compute_vm_scaleset metricset include::../../../../x-pack/metricbeat/module/azure/compute_vm_scaleset/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/container_instance.asciidoc b/metricbeat/docs/modules/azure/container_instance.asciidoc index 3bf12d7263a..81cd5febddc 100644 --- a/metricbeat/docs/modules/azure/container_instance.asciidoc +++ b/metricbeat/docs/modules/azure/container_instance.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-container_instance]] +[role="xpack"] === Azure container_instance metricset include::../../../../x-pack/metricbeat/module/azure/container_instance/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/container_registry.asciidoc b/metricbeat/docs/modules/azure/container_registry.asciidoc index c14fffa4753..03e4eb7abc6 100644 --- a/metricbeat/docs/modules/azure/container_registry.asciidoc +++ b/metricbeat/docs/modules/azure/container_registry.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-container_registry]] +[role="xpack"] === Azure container_registry metricset include::../../../../x-pack/metricbeat/module/azure/container_registry/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/container_service.asciidoc b/metricbeat/docs/modules/azure/container_service.asciidoc index a5fcb472273..c2a580959c0 100644 --- a/metricbeat/docs/modules/azure/container_service.asciidoc +++ b/metricbeat/docs/modules/azure/container_service.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-container_service]] +[role="xpack"] === Azure container_service metricset include::../../../../x-pack/metricbeat/module/azure/container_service/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/database_account.asciidoc b/metricbeat/docs/modules/azure/database_account.asciidoc index fcfa5f0b953..5a35100d23a 100644 --- a/metricbeat/docs/modules/azure/database_account.asciidoc +++ b/metricbeat/docs/modules/azure/database_account.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-database_account]] +[role="xpack"] === Azure database_account metricset include::../../../../x-pack/metricbeat/module/azure/database_account/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/monitor.asciidoc b/metricbeat/docs/modules/azure/monitor.asciidoc index 327ab61f22b..9f5a20d5b2c 100644 --- a/metricbeat/docs/modules/azure/monitor.asciidoc +++ b/metricbeat/docs/modules/azure/monitor.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-monitor]] +[role="xpack"] === Azure monitor metricset include::../../../../x-pack/metricbeat/module/azure/monitor/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/azure/storage.asciidoc b/metricbeat/docs/modules/azure/storage.asciidoc index 6447523e519..45b788d6b17 100644 --- a/metricbeat/docs/modules/azure/storage.asciidoc +++ b/metricbeat/docs/modules/azure/storage.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-azure-storage]] +[role="xpack"] === Azure storage metricset include::../../../../x-pack/metricbeat/module/azure/storage/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/cloudfoundry/container.asciidoc b/metricbeat/docs/modules/cloudfoundry/container.asciidoc index 025c2152033..f308fb56150 100644 --- a/metricbeat/docs/modules/cloudfoundry/container.asciidoc +++ b/metricbeat/docs/modules/cloudfoundry/container.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-cloudfoundry-container]] +[role="xpack"] === Cloudfoundry container metricset beta[] diff --git a/metricbeat/docs/modules/cloudfoundry/counter.asciidoc b/metricbeat/docs/modules/cloudfoundry/counter.asciidoc index c623a969373..bc033c21616 100644 --- a/metricbeat/docs/modules/cloudfoundry/counter.asciidoc +++ b/metricbeat/docs/modules/cloudfoundry/counter.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-cloudfoundry-counter]] +[role="xpack"] === Cloudfoundry counter metricset beta[] diff --git a/metricbeat/docs/modules/cloudfoundry/value.asciidoc b/metricbeat/docs/modules/cloudfoundry/value.asciidoc index a26103907fe..a5150fe534e 100644 --- a/metricbeat/docs/modules/cloudfoundry/value.asciidoc +++ b/metricbeat/docs/modules/cloudfoundry/value.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-cloudfoundry-value]] +[role="xpack"] === Cloudfoundry value metricset beta[] diff --git a/metricbeat/docs/modules/cockroachdb/status.asciidoc b/metricbeat/docs/modules/cockroachdb/status.asciidoc index d15dd6fc0b8..2ce97f39b2a 100644 --- a/metricbeat/docs/modules/cockroachdb/status.asciidoc +++ b/metricbeat/docs/modules/cockroachdb/status.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-cockroachdb-status]] +[role="xpack"] === CockroachDB status metricset beta[] diff --git a/metricbeat/docs/modules/coredns/stats.asciidoc b/metricbeat/docs/modules/coredns/stats.asciidoc index 97f262a5077..0f328e1d8c4 100644 --- a/metricbeat/docs/modules/coredns/stats.asciidoc +++ b/metricbeat/docs/modules/coredns/stats.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-coredns-stats]] +[role="xpack"] === Coredns stats metricset include::../../../../x-pack/metricbeat/module/coredns/stats/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/googlecloud.asciidoc b/metricbeat/docs/modules/googlecloud.asciidoc index f37cc2943ef..dc30097ea87 100644 --- a/metricbeat/docs/modules/googlecloud.asciidoc +++ b/metricbeat/docs/modules/googlecloud.asciidoc @@ -10,7 +10,10 @@ beta[] This module periodically fetches monitoring metrics from Google Cloud Platform using https://cloud.google.com/monitoring/api/metrics_gcp[Stackdriver Monitoring API] for Google Cloud Platform services. -Note: extra GCP charges on Stackdriver Monitoring API requests will be generated by this module. + +IMPORTANT: Extra GCP charges on Stackdriver Monitoring API requests may be +generated by this module. Please see <> +for more details. [float] == Module config and parameters @@ -138,7 +141,8 @@ GCP monitoring data has a up to 240 seconds latency, which means latest monitori In googlecloud module, metrics are collected based on this ingest delay, which is also obtained from ListMetricDescriptors API. [float] -=== Rough estimation of the number of API Calls +[[gcp-api-requests]] +=== Rough estimation of the number of API calls Google Cloud Platform pricing depends of the number of requests you do to their API's. Here you have some information that you can use to make an estimation of the pricing you should expect. For example, imagine that you have a Compute Metricset activated and you don't want to exclude labels. You have a total of 20 instances running in a particular GCP project, region and zone. For example, if Compute Metricset fetches 14 metrics (which is the number of metrics fetched in the early beta version). Each of those metrics will attempt an API call to Compute API to retrieve also their metadata. Because you have 20 different instances, the total number of API calls that will be done on each refresh period are: 14 metrics + 20 instances = 34 API requests every 5 minutes if that is your current Period. 9792 API requests per day with one zone. If you add 2 zones more with the same amount of instances you'll have 19584 API requests per day (9792 on each zone) or around 587520 per month for the Compute Metricset. This maths must be done for each different Metricset with slight variations. diff --git a/metricbeat/docs/modules/googlecloud/compute.asciidoc b/metricbeat/docs/modules/googlecloud/compute.asciidoc index fb6474bf756..bd8e4202788 100644 --- a/metricbeat/docs/modules/googlecloud/compute.asciidoc +++ b/metricbeat/docs/modules/googlecloud/compute.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-googlecloud-compute]] +[role="xpack"] === Google Cloud Platform compute metricset beta[] diff --git a/metricbeat/docs/modules/googlecloud/loadbalancing.asciidoc b/metricbeat/docs/modules/googlecloud/loadbalancing.asciidoc index 22ea8bf98b4..f6cdbcb5f6e 100644 --- a/metricbeat/docs/modules/googlecloud/loadbalancing.asciidoc +++ b/metricbeat/docs/modules/googlecloud/loadbalancing.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-googlecloud-loadbalancing]] +[role="xpack"] === Google Cloud Platform loadbalancing metricset beta[] diff --git a/metricbeat/docs/modules/googlecloud/metrics.asciidoc b/metricbeat/docs/modules/googlecloud/metrics.asciidoc index 2fecee9ab2b..404c35a430d 100644 --- a/metricbeat/docs/modules/googlecloud/metrics.asciidoc +++ b/metricbeat/docs/modules/googlecloud/metrics.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-googlecloud-metrics]] +[role="xpack"] === Google Cloud Platform metrics metricset beta[] diff --git a/metricbeat/docs/modules/googlecloud/pubsub.asciidoc b/metricbeat/docs/modules/googlecloud/pubsub.asciidoc index df751605e5a..605d4fae7ec 100644 --- a/metricbeat/docs/modules/googlecloud/pubsub.asciidoc +++ b/metricbeat/docs/modules/googlecloud/pubsub.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-googlecloud-pubsub]] +[role="xpack"] === Google Cloud Platform pubsub metricset beta[] diff --git a/metricbeat/docs/modules/googlecloud/storage.asciidoc b/metricbeat/docs/modules/googlecloud/storage.asciidoc index 86d42459977..2606dff2fff 100644 --- a/metricbeat/docs/modules/googlecloud/storage.asciidoc +++ b/metricbeat/docs/modules/googlecloud/storage.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-googlecloud-storage]] +[role="xpack"] === Google Cloud Platform storage metricset beta[] diff --git a/metricbeat/docs/modules/ibmmq/qmgr.asciidoc b/metricbeat/docs/modules/ibmmq/qmgr.asciidoc index 7617b660ad6..357f4965f9d 100644 --- a/metricbeat/docs/modules/ibmmq/qmgr.asciidoc +++ b/metricbeat/docs/modules/ibmmq/qmgr.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-ibmmq-qmgr]] +[role="xpack"] === IBM MQ qmgr metricset beta[] diff --git a/metricbeat/docs/modules/iis/application_pool.asciidoc b/metricbeat/docs/modules/iis/application_pool.asciidoc index 8b68e8f4801..042d41384c4 100644 --- a/metricbeat/docs/modules/iis/application_pool.asciidoc +++ b/metricbeat/docs/modules/iis/application_pool.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-iis-application_pool]] +[role="xpack"] === IIS application_pool metricset beta[] diff --git a/metricbeat/docs/modules/iis/webserver.asciidoc b/metricbeat/docs/modules/iis/webserver.asciidoc index 85c8d1474a1..00be405b058 100644 --- a/metricbeat/docs/modules/iis/webserver.asciidoc +++ b/metricbeat/docs/modules/iis/webserver.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-iis-webserver]] +[role="xpack"] === IIS webserver metricset beta[] diff --git a/metricbeat/docs/modules/iis/website.asciidoc b/metricbeat/docs/modules/iis/website.asciidoc index e1f1b77ffe7..c7c170b2e92 100644 --- a/metricbeat/docs/modules/iis/website.asciidoc +++ b/metricbeat/docs/modules/iis/website.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-iis-website]] +[role="xpack"] === IIS website metricset beta[] diff --git a/metricbeat/docs/modules/istio/citadel.asciidoc b/metricbeat/docs/modules/istio/citadel.asciidoc index e22881f1424..2560ae00a38 100644 --- a/metricbeat/docs/modules/istio/citadel.asciidoc +++ b/metricbeat/docs/modules/istio/citadel.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-istio-citadel]] +[role="xpack"] === Istio citadel metricset beta[] diff --git a/metricbeat/docs/modules/istio/galley.asciidoc b/metricbeat/docs/modules/istio/galley.asciidoc index 903ca49cbcc..559db7ffe08 100644 --- a/metricbeat/docs/modules/istio/galley.asciidoc +++ b/metricbeat/docs/modules/istio/galley.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-istio-galley]] +[role="xpack"] === Istio galley metricset beta[] diff --git a/metricbeat/docs/modules/istio/mesh.asciidoc b/metricbeat/docs/modules/istio/mesh.asciidoc index 081312a28c9..b1d170be31b 100644 --- a/metricbeat/docs/modules/istio/mesh.asciidoc +++ b/metricbeat/docs/modules/istio/mesh.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-istio-mesh]] +[role="xpack"] === Istio mesh metricset beta[] diff --git a/metricbeat/docs/modules/istio/mixer.asciidoc b/metricbeat/docs/modules/istio/mixer.asciidoc index 760abaa7811..214cc4694fa 100644 --- a/metricbeat/docs/modules/istio/mixer.asciidoc +++ b/metricbeat/docs/modules/istio/mixer.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-istio-mixer]] +[role="xpack"] === Istio mixer metricset beta[] diff --git a/metricbeat/docs/modules/istio/pilot.asciidoc b/metricbeat/docs/modules/istio/pilot.asciidoc index 2aa6b03a385..5e406608ebc 100644 --- a/metricbeat/docs/modules/istio/pilot.asciidoc +++ b/metricbeat/docs/modules/istio/pilot.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-istio-pilot]] +[role="xpack"] === Istio pilot metricset beta[] diff --git a/metricbeat/docs/modules/mssql/performance.asciidoc b/metricbeat/docs/modules/mssql/performance.asciidoc index b21411b5a60..f0202e4574d 100644 --- a/metricbeat/docs/modules/mssql/performance.asciidoc +++ b/metricbeat/docs/modules/mssql/performance.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-mssql-performance]] +[role="xpack"] === MSSQL performance metricset include::../../../../x-pack/metricbeat/module/mssql/performance/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/mssql/transaction_log.asciidoc b/metricbeat/docs/modules/mssql/transaction_log.asciidoc index 63bf00583c4..8e373dc7558 100644 --- a/metricbeat/docs/modules/mssql/transaction_log.asciidoc +++ b/metricbeat/docs/modules/mssql/transaction_log.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-mssql-transaction_log]] +[role="xpack"] === MSSQL transaction_log metricset include::../../../../x-pack/metricbeat/module/mssql/transaction_log/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/mysql.asciidoc b/metricbeat/docs/modules/mysql.asciidoc index 21762cbeb66..f762f5c8642 100644 --- a/metricbeat/docs/modules/mysql.asciidoc +++ b/metricbeat/docs/modules/mysql.asciidoc @@ -58,8 +58,10 @@ in <>. Here is an example configuration: metricbeat.modules: - module: mysql metricsets: - - "status" - # - "galera_status" + - status + # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" diff --git a/metricbeat/docs/modules/mysql/performance.asciidoc b/metricbeat/docs/modules/mysql/performance.asciidoc index e0e47239f21..d94b12a53fa 100644 --- a/metricbeat/docs/modules/mysql/performance.asciidoc +++ b/metricbeat/docs/modules/mysql/performance.asciidoc @@ -9,7 +9,6 @@ beta[] include::../../../module/mysql/performance/_meta/docs.asciidoc[] -This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields diff --git a/metricbeat/docs/modules/mysql/query.asciidoc b/metricbeat/docs/modules/mysql/query.asciidoc index fd8cdf650f9..31a8e1638c1 100644 --- a/metricbeat/docs/modules/mysql/query.asciidoc +++ b/metricbeat/docs/modules/mysql/query.asciidoc @@ -9,7 +9,6 @@ beta[] include::../../../module/mysql/query/_meta/docs.asciidoc[] -This is a default metricset. If the host module is unconfigured, this metricset is enabled by default. ==== Fields diff --git a/metricbeat/docs/modules/openmetrics/collector.asciidoc b/metricbeat/docs/modules/openmetrics/collector.asciidoc index fd5026ff378..1a18fb93e6c 100644 --- a/metricbeat/docs/modules/openmetrics/collector.asciidoc +++ b/metricbeat/docs/modules/openmetrics/collector.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-openmetrics-collector]] +[role="xpack"] === Openmetrics collector metricset beta[] diff --git a/metricbeat/docs/modules/oracle/performance.asciidoc b/metricbeat/docs/modules/oracle/performance.asciidoc index 2c57d8f6202..64802664b0d 100644 --- a/metricbeat/docs/modules/oracle/performance.asciidoc +++ b/metricbeat/docs/modules/oracle/performance.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-oracle-performance]] +[role="xpack"] === Oracle performance metricset include::../../../../x-pack/metricbeat/module/oracle/performance/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/oracle/tablespace.asciidoc b/metricbeat/docs/modules/oracle/tablespace.asciidoc index af25323b220..be1a2ebcec6 100644 --- a/metricbeat/docs/modules/oracle/tablespace.asciidoc +++ b/metricbeat/docs/modules/oracle/tablespace.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-oracle-tablespace]] +[role="xpack"] === Oracle tablespace metricset include::../../../../x-pack/metricbeat/module/oracle/tablespace/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/redisenterprise/node.asciidoc b/metricbeat/docs/modules/redisenterprise/node.asciidoc index 90103d11923..6460b9f87cb 100644 --- a/metricbeat/docs/modules/redisenterprise/node.asciidoc +++ b/metricbeat/docs/modules/redisenterprise/node.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-redisenterprise-node]] +[role="xpack"] === Redis Enterprise node metricset beta[] diff --git a/metricbeat/docs/modules/redisenterprise/proxy.asciidoc b/metricbeat/docs/modules/redisenterprise/proxy.asciidoc index cee1e06ebd4..b375211ab85 100644 --- a/metricbeat/docs/modules/redisenterprise/proxy.asciidoc +++ b/metricbeat/docs/modules/redisenterprise/proxy.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-redisenterprise-proxy]] +[role="xpack"] === Redis Enterprise proxy metricset beta[] diff --git a/metricbeat/docs/modules/sql/query.asciidoc b/metricbeat/docs/modules/sql/query.asciidoc index 16e999eb98c..cc3832ca234 100644 --- a/metricbeat/docs/modules/sql/query.asciidoc +++ b/metricbeat/docs/modules/sql/query.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-sql-query]] +[role="xpack"] === SQL query metricset beta[] diff --git a/metricbeat/docs/modules/stan/channels.asciidoc b/metricbeat/docs/modules/stan/channels.asciidoc index 63ff79005a3..c57c85c52ea 100644 --- a/metricbeat/docs/modules/stan/channels.asciidoc +++ b/metricbeat/docs/modules/stan/channels.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-stan-channels]] +[role="xpack"] === Stan channels metricset include::../../../../x-pack/metricbeat/module/stan/channels/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/stan/stats.asciidoc b/metricbeat/docs/modules/stan/stats.asciidoc index 62b6532b8ef..f8b5d0647e3 100644 --- a/metricbeat/docs/modules/stan/stats.asciidoc +++ b/metricbeat/docs/modules/stan/stats.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-stan-stats]] +[role="xpack"] === Stan stats metricset include::../../../../x-pack/metricbeat/module/stan/stats/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/stan/subscriptions.asciidoc b/metricbeat/docs/modules/stan/subscriptions.asciidoc index 9ab2e2bd884..39631877264 100644 --- a/metricbeat/docs/modules/stan/subscriptions.asciidoc +++ b/metricbeat/docs/modules/stan/subscriptions.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-stan-subscriptions]] +[role="xpack"] === Stan subscriptions metricset include::../../../../x-pack/metricbeat/module/stan/subscriptions/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/statsd/server.asciidoc b/metricbeat/docs/modules/statsd/server.asciidoc index b3e983bbbd6..1462697808e 100644 --- a/metricbeat/docs/modules/statsd/server.asciidoc +++ b/metricbeat/docs/modules/statsd/server.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-statsd-server]] +[role="xpack"] === Statsd server metricset include::../../../../x-pack/metricbeat/module/statsd/server/_meta/docs.asciidoc[] diff --git a/metricbeat/docs/modules/tomcat/cache.asciidoc b/metricbeat/docs/modules/tomcat/cache.asciidoc index ddddaae045e..a19c257349b 100644 --- a/metricbeat/docs/modules/tomcat/cache.asciidoc +++ b/metricbeat/docs/modules/tomcat/cache.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-tomcat-cache]] +[role="xpack"] === Tomcat cache metricset beta[] diff --git a/metricbeat/docs/modules/tomcat/memory.asciidoc b/metricbeat/docs/modules/tomcat/memory.asciidoc index 1d850e840cd..bafbb9cfc93 100644 --- a/metricbeat/docs/modules/tomcat/memory.asciidoc +++ b/metricbeat/docs/modules/tomcat/memory.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-tomcat-memory]] +[role="xpack"] === Tomcat memory metricset beta[] diff --git a/metricbeat/docs/modules/tomcat/requests.asciidoc b/metricbeat/docs/modules/tomcat/requests.asciidoc index 8f2db18d4d4..50a153e463e 100644 --- a/metricbeat/docs/modules/tomcat/requests.asciidoc +++ b/metricbeat/docs/modules/tomcat/requests.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-tomcat-requests]] +[role="xpack"] === Tomcat requests metricset beta[] diff --git a/metricbeat/docs/modules/tomcat/threading.asciidoc b/metricbeat/docs/modules/tomcat/threading.asciidoc index 4d356cb2a9a..3b8516fe805 100644 --- a/metricbeat/docs/modules/tomcat/threading.asciidoc +++ b/metricbeat/docs/modules/tomcat/threading.asciidoc @@ -3,6 +3,7 @@ This file is generated! See scripts/mage/docs_collector.go //// [[metricbeat-metricset-tomcat-threading]] +[role="xpack"] === Tomcat threading metricset beta[] diff --git a/metricbeat/docs/running-on-kubernetes.asciidoc b/metricbeat/docs/running-on-kubernetes.asciidoc index 78844f9e1a0..411a7c9ae25 100644 --- a/metricbeat/docs/running-on-kubernetes.asciidoc +++ b/metricbeat/docs/running-on-kubernetes.asciidoc @@ -4,6 +4,8 @@ You can use {beatname_uc} <> on Kubernetes to retrieve cluster metrics. +TIP: Running {ecloud} on Kubernetes? See {eck-ref}/k8s-beat.html[Run {beats} on ECK]. + ifeval::["{release-state}"=="unreleased"] However, version {version} of {beatname_uc} has not yet been diff --git a/metricbeat/mb/lightmetricset.go b/metricbeat/mb/lightmetricset.go index 2354187b4ea..b78b2ef997c 100644 --- a/metricbeat/mb/lightmetricset.go +++ b/metricbeat/mb/lightmetricset.go @@ -18,9 +18,6 @@ package mb import ( - "fmt" - "net/url" - "github.com/pkg/errors" "github.com/elastic/beats/v7/libbeat/common" @@ -55,13 +52,17 @@ func (m *LightMetricSet) Registration(r *Register) (MetricSetRegistration, error originalFactory := registration.Factory registration.IsDefault = m.Default + // Disable the host parser, we will call it as part of the factory so the original + // host in the base module is not modified. + originalHostParser := registration.HostParser + registration.HostParser = nil + // Light modules factory has to override defaults and reproduce builder // functionality with the resulting configuration, it does: // - Override defaults // - Call module factory if registered (it wouldn't have been called // if light module is really a registered mixed module) - // - Call host parser if defined (it would have already been called - // without the light module defaults) + // - Call host parser if there was one defined // - Finally, call the original factory for the registered metricset registration.Factory = func(base BaseMetricSet) (MetricSet, error) { // Override default config on base module and metricset @@ -83,11 +84,9 @@ func (m *LightMetricSet) Registration(r *Register) (MetricSetRegistration, error base.module = module } - // At this point host parser was already run, we need to run this again - // with the overriden defaults - if registration.HostParser != nil { - host := m.useHostURISchemeIfPossible(base.host, base.hostData.URI) - base.hostData, err = registration.HostParser(base.module, host) + // Run the host parser if there was anyone defined + if originalHostParser != nil { + base.hostData, err = originalHostParser(base.module, base.host) if err != nil { return nil, errors.Wrapf(err, "host parser failed on light metricset factory for '%s/%s'", m.Module, m.Name) } @@ -100,18 +99,6 @@ func (m *LightMetricSet) Registration(r *Register) (MetricSetRegistration, error return registration, nil } -// useHostURISchemeIfPossible method parses given URI to extract protocol scheme and prepend it to the host. -// It prevents from skipping protocol scheme (e.g. https) while executing HostParser. -func (m *LightMetricSet) useHostURISchemeIfPossible(host, uri string) string { - u, err := url.ParseRequestURI(uri) - if err == nil { - if u.Scheme != "" { - return fmt.Sprintf("%s://%s", u.Scheme, u.Host) - } - } - return host -} - // baseModule does the configuration overrides in the base module configuration // taking into account the light metric set default configurations func (m *LightMetricSet) baseModule(from Module) (*BaseModule, error) { diff --git a/metricbeat/mb/module/wrapper.go b/metricbeat/mb/module/wrapper.go index f8375b4adf6..2ea0d2b60d1 100644 --- a/metricbeat/mb/module/wrapper.go +++ b/metricbeat/mb/module/wrapper.go @@ -142,7 +142,7 @@ func (mw *Wrapper) Start(done <-chan struct{}) <-chan beat.Event { defer msw.close() registry.Add(metricsPath, msw.Metrics(), monitoring.Full) - monitoring.NewString(msw.Metrics(), "starttime").Set(common.Time{}.String()) + monitoring.NewString(msw.Metrics(), "starttime").Set(common.Time(time.Now()).String()) msw.run(done, out) }(msw) diff --git a/metricbeat/metricbeat.reference.yml b/metricbeat/metricbeat.reference.yml index 2badf80ceff..92aed4ead8f 100644 --- a/metricbeat/metricbeat.reference.yml +++ b/metricbeat/metricbeat.reference.yml @@ -647,8 +647,10 @@ metricbeat.modules: #-------------------------------- MySQL Module -------------------------------- - module: mysql metricsets: - - "status" - # - "galera_status" + - status + # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" diff --git a/metricbeat/module/mysql/_meta/config.epr.yml b/metricbeat/module/mysql/_meta/config.epr.yml index 450b99a3761..3d65e506f97 100644 --- a/metricbeat/module/mysql/_meta/config.epr.yml +++ b/metricbeat/module/mysql/_meta/config.epr.yml @@ -1,7 +1,9 @@ - module: mysql metricsets: - - "status" - - "galera_status" + - status + # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" diff --git a/metricbeat/module/mysql/_meta/config.reference.yml b/metricbeat/module/mysql/_meta/config.reference.yml index 6715260a5e9..03880a5ad6a 100644 --- a/metricbeat/module/mysql/_meta/config.reference.yml +++ b/metricbeat/module/mysql/_meta/config.reference.yml @@ -1,7 +1,9 @@ - module: mysql metricsets: - - "status" - # - "galera_status" + - status + # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" diff --git a/metricbeat/module/mysql/_meta/config.yml b/metricbeat/module/mysql/_meta/config.yml index 81db7e28eed..367b32e9173 100644 --- a/metricbeat/module/mysql/_meta/config.yml +++ b/metricbeat/module/mysql/_meta/config.yml @@ -2,6 +2,8 @@ #metricsets: # - status # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" @@ -15,4 +17,4 @@ #username: root # Password of hosts. Empty by default. - #password: secret \ No newline at end of file + #password: secret diff --git a/metricbeat/module/mysql/performance/manifest.yml b/metricbeat/module/mysql/performance/manifest.yml index b88a2694cf7..51aa01614b5 100644 --- a/metricbeat/module/mysql/performance/manifest.yml +++ b/metricbeat/module/mysql/performance/manifest.yml @@ -1,4 +1,4 @@ -default: true +default: false input: module: mysql metricset: query diff --git a/metricbeat/module/mysql/query/query.go b/metricbeat/module/mysql/query/query.go index 24f09218d47..d7664cc8635 100644 --- a/metricbeat/module/mysql/query/query.go +++ b/metricbeat/module/mysql/query/query.go @@ -32,11 +32,12 @@ import ( "github.com/elastic/beats/v7/libbeat/common/cfgwarn" "github.com/elastic/beats/v7/metricbeat/helper/sql" "github.com/elastic/beats/v7/metricbeat/mb" + "github.com/elastic/beats/v7/metricbeat/module/mysql" ) func init() { mb.Registry.MustAddMetricSet("mysql", "query", New, - mb.DefaultMetricSet(), + mb.WithHostParser(mysql.ParseDSN), ) } diff --git a/metricbeat/modules.d/mysql.yml.disabled b/metricbeat/modules.d/mysql.yml.disabled index 610b5830cd9..2b3371b1890 100644 --- a/metricbeat/modules.d/mysql.yml.disabled +++ b/metricbeat/modules.d/mysql.yml.disabled @@ -5,6 +5,8 @@ #metricsets: # - status # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" @@ -18,4 +20,4 @@ #username: root # Password of hosts. Empty by default. - #password: secret \ No newline at end of file + #password: secret diff --git a/metricbeat/scripts/mage/template/metricsetDoc.tmpl b/metricbeat/scripts/mage/template/metricsetDoc.tmpl index 4d68b28db18..da91e2a4fa3 100644 --- a/metricbeat/scripts/mage/template/metricsetDoc.tmpl +++ b/metricbeat/scripts/mage/template/metricsetDoc.tmpl @@ -3,6 +3,8 @@ This file is generated! See scripts/mage/docs_collector.go //// [[{{getBeatName}}-metricset-{{.Mod.Base}}-{{.Metricset.Title}}]] +{{- if .Mod.IsXpack}} +[role="xpack"]{{end}} === {{.Mod.Title}} {{.Metricset.Title}} metricset {{if not ( eq .Metricset.Release "ga") -}} diff --git a/packetbeat/Dockerfile b/packetbeat/Dockerfile index 2711edfeeff..a3c07f2b2ac 100644 --- a/packetbeat/Dockerfile +++ b/packetbeat/Dockerfile @@ -11,8 +11,6 @@ RUN \ libpcap-dev \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/packetbeat/protos/http/http.go b/packetbeat/protos/http/http.go index efa344ab163..4b2367c0239 100644 --- a/packetbeat/protos/http/http.go +++ b/packetbeat/protos/http/http.go @@ -457,6 +457,12 @@ func (http *httpPlugin) flushResponses(conn *httpConnectionData) { unmatchedResponses.Add(1) resp := conn.responses.pop() debugf("Response from unknown transaction: %s. Reporting error.", resp.tcpTuple) + + if resp.statusCode == 100 { + debugf("Drop first 100-continue response") + return + } + event := http.newTransaction(nil, resp) http.publishTransaction(event) } diff --git a/packetbeat/tests/system/pcaps/http_100_continue.pcap b/packetbeat/tests/system/pcaps/http_100_continue.pcap new file mode 100644 index 00000000000..be1438e3080 Binary files /dev/null and b/packetbeat/tests/system/pcaps/http_100_continue.pcap differ diff --git a/packetbeat/tests/system/test_0070_http_100_continue.py b/packetbeat/tests/system/test_0070_http_100_continue.py new file mode 100644 index 00000000000..877bb90a280 --- /dev/null +++ b/packetbeat/tests/system/test_0070_http_100_continue.py @@ -0,0 +1,32 @@ +from packetbeat import BaseTest + +""" +Tests for checking expect 100-continue only generate 1 event +""" + + +class Test(BaseTest): + + def test_http_100_continue(self): + """ + Should only generate one event + """ + self.render_config_template( + iface_device="lo0", + http_ports=["9200"], + http_send_all_headers=True + ) + self.run_packetbeat(pcap="http_100_continue.pcap") + objs = self.read_output_json() + + assert len(objs) == 1 + o = objs[0] + + assert o["type"] == "http" + assert "request" in o["http"] + assert "headers" in o["http"]["request"] + assert o["http"]["request"]["headers"]["expect"] == "100-continue" + + assert "response" in o["http"] + + assert not "error" in o diff --git a/x-pack/elastic-agent/CHANGELOG.asciidoc b/x-pack/elastic-agent/CHANGELOG.asciidoc index 9b3ab9b2ac3..d3c08e7167c 100644 --- a/x-pack/elastic-agent/CHANGELOG.asciidoc +++ b/x-pack/elastic-agent/CHANGELOG.asciidoc @@ -51,6 +51,10 @@ - Remove support for logs type and use logfile {pull}19761[19761] - Avoid comparing uncomparable types on enroll {issue}19976[19976] - Fix issues with merging of elastic-agent.yml and fleet.yml {pull}20026[20026] +- Unzip failures on Windows 8/Windows server 2012 {pull}20088[20088] +- Fix failing unit tests on windows {pull}20127[20127] +- Improve GRPC stop to be more relaxed {pull}20118[20118] +- Prevent closing closed reader {pull}20214[20214] ==== New features @@ -91,3 +95,5 @@ - Will retry to enroll if the server return a 429. {pull}19918[19811] - Allow to specify what artifacts to embed at build times {pull}20019[20019] - Add --staging option to enroll command {pull}20026[20026] +- Add `event.dataset` to all events {pull}20076[20076] +- Prepare packaging for endpoint and asc files {pull}20186[20186] diff --git a/x-pack/elastic-agent/docs/elastic-agent.asciidoc b/x-pack/elastic-agent/docs/elastic-agent.asciidoc index 1dc9a1a8ba3..a3736a8e944 100644 --- a/x-pack/elastic-agent/docs/elastic-agent.asciidoc +++ b/x-pack/elastic-agent/docs/elastic-agent.asciidoc @@ -15,6 +15,7 @@ To learn how to install, configure, and run your {agent}s, see: * <> * <> +* <> * <> * <> @@ -22,6 +23,8 @@ include::install-elastic-agent.asciidoc[leveloffset=+1] include::run-elastic-agent.asciidoc[leveloffset=+1] +include::stop-elastic-agent.asciidoc[leveloffset=+1] + include::elastic-agent-command-line.asciidoc[leveloffset=+1] include::elastic-agent-configuration.asciidoc[leveloffset=+1] diff --git a/x-pack/elastic-agent/docs/run-elastic-agent.asciidoc b/x-pack/elastic-agent/docs/run-elastic-agent.asciidoc index e7f3896d551..9cc31bfc44a 100644 --- a/x-pack/elastic-agent/docs/run-elastic-agent.asciidoc +++ b/x-pack/elastic-agent/docs/run-elastic-agent.asciidoc @@ -34,11 +34,18 @@ generate a token. See <> for detailed steps. + Where `$token` is an enrollment token acquired from {fleet}. +//TODO: Add tabbed panels for platform-specific tabs (waiting for final design) + To start {agent}, run: + +// tag::run-agent[] [source,shell] ---- -./elastic-agent run +./elastic-agent run <1> ---- +<1> On Windows, you must run {agent} under the SYSTEM account if you plan +to use the {elastic-endpoint} integration. +// end::run-agent[] [discrete] [[standalone-mode]] @@ -52,10 +59,7 @@ when you restart your system. To start {agent} manually, run: -[source,shell] ----- -./elastic-agent run ----- +include::run-elastic-agent.asciidoc[tag=run-agent] If no configuration file is specified, {agent} uses the default configuration, `elastic-agent.yml`, which is located in the same directory as {agent}. Specify diff --git a/x-pack/elastic-agent/docs/stop-elastic-agent.asciidoc b/x-pack/elastic-agent/docs/stop-elastic-agent.asciidoc new file mode 100644 index 00000000000..913254d688b --- /dev/null +++ b/x-pack/elastic-agent/docs/stop-elastic-agent.asciidoc @@ -0,0 +1,43 @@ +[[stop-elastic-agent]] +[role="xpack"] += Stop {agent} + +To stop {agent} and its related executables, stop the {agent} process. Use the +commands that work for your system. + +//TODO: Replace with tabbed panel when it's out of experimental phase. + +*Windows:* + +If you installed the Agent as a service, stop the service. If +necessary, use Task Manager on Windows to stop {agent}. This will kill the +{agent} process and any sub-processes it created (such as {beats}). + +*Linux or macOS:* + +Run the following command to get the ID of the `elastic-agent` process: + +[source,shell] +---- +ps | grep elastic-agent +---- + +Then kill the process: + +[source,shell] +---- +kill -9 PID +---- + +Where `PID` is the ID of the `elastic-agent` process. + +*Systemd:* + +The DEB and RPM packages include a service unit for Linux systems with systemd. +On these systems, you can manage {agent} by using systemd commands. Use +`systemctl` to stop the Agent: + +[source,shell] +---- +systemctl stop elastic-agent +---- diff --git a/x-pack/elastic-agent/pkg/agent/application/action_store.go b/x-pack/elastic-agent/pkg/agent/application/action_store.go index a0b008d9623..25dbf7a5b82 100644 --- a/x-pack/elastic-agent/pkg/agent/application/action_store.go +++ b/x-pack/elastic-agent/pkg/agent/application/action_store.go @@ -33,6 +33,7 @@ func newActionStore(log *logger.Logger, store storeLoad) (*actionStore, error) { if err != nil { return &actionStore{log: log, store: store}, nil } + defer reader.Close() var action actionConfigChangeSerializer diff --git a/x-pack/elastic-agent/pkg/agent/application/action_store_test.go b/x-pack/elastic-agent/pkg/agent/application/action_store_test.go index a3ccb5b9e48..4205deda8b6 100644 --- a/x-pack/elastic-agent/pkg/agent/application/action_store_test.go +++ b/x-pack/elastic-agent/pkg/agent/application/action_store_test.go @@ -9,7 +9,6 @@ import ( "io/ioutil" "os" "path/filepath" - "runtime" "testing" "github.com/stretchr/testify/require" @@ -20,10 +19,6 @@ import ( ) func TestActionStore(t *testing.T) { - if runtime.GOOS == "windows" { - t.Skip("Skipping on windows see https://github.com/elastic/beats/issues/19919") - } - log, _ := logger.New("action_store") withFile := func(fn func(t *testing.T, file string)) func(*testing.T) { return func(t *testing.T) { diff --git a/x-pack/elastic-agent/pkg/agent/application/info/agent_id.go b/x-pack/elastic-agent/pkg/agent/application/info/agent_id.go index 60462b7da4f..f58ab5c2a5e 100644 --- a/x-pack/elastic-agent/pkg/agent/application/info/agent_id.go +++ b/x-pack/elastic-agent/pkg/agent/application/info/agent_id.go @@ -94,10 +94,6 @@ func getInfoFromStore(s ioStore) (*persistentAgentInfo, error) { errors.M(errors.MetaKeyPath, agentConfigFile)) } - if err := reader.Close(); err != nil { - return nil, err - } - configMap, err := cfg.ToMapStr() if err != nil { return nil, errors.New(err, @@ -137,10 +133,6 @@ func updateAgentInfo(s ioStore, agentInfo *persistentAgentInfo) error { errors.M(errors.MetaKeyPath, agentConfigFile)) } - if err := reader.Close(); err != nil { - return err - } - configMap := make(map[string]interface{}) if err := cfg.Unpack(&configMap); err != nil { return errors.New(err, "failed to unpack stored config to map") diff --git a/x-pack/elastic-agent/pkg/agent/operation/monitoring.go b/x-pack/elastic-agent/pkg/agent/operation/monitoring.go index bf03f4f34a5..62372cc3f54 100644 --- a/x-pack/elastic-agent/pkg/agent/operation/monitoring.go +++ b/x-pack/elastic-agent/pkg/agent/operation/monitoring.go @@ -198,6 +198,14 @@ func (o *Operator) getMonitoringFilebeatConfig(output interface{}) (map[string]i }, }, }, + { + "add_fields": map[string]interface{}{ + "target": "event", + "fields": map[string]interface{}{ + "dataset": "elastic.agent", + }, + }, + }, }, }, } @@ -224,6 +232,14 @@ func (o *Operator) getMonitoringFilebeatConfig(output interface{}) (map[string]i }, }, }, + { + "add_fields": map[string]interface{}{ + "target": "event", + "fields": map[string]interface{}{ + "dataset": fmt.Sprintf("elastic.agent.%s", name), + }, + }, + }, }, }) } @@ -266,6 +282,14 @@ func (o *Operator) getMonitoringMetricbeatConfig(output interface{}) (map[string }, }, }, + { + "add_fields": map[string]interface{}{ + "target": "event", + "fields": map[string]interface{}{ + "dataset": fmt.Sprintf("elastic.agent.%s", name), + }, + }, + }, }, }) } diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/constraints_config-filebeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/constraints_config-filebeat.yml index 31e7b27eafd..15f6b71a953 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/constraints_config-filebeat.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/constraints_config-filebeat.yml @@ -12,6 +12,10 @@ filebeat: type: logs name: generic namespace: default + - add_fields: + target: "event" + fields: + dataset: generic output: elasticsearch: hosts: diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_output_true-filebeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_output_true-filebeat.yml index 97b9e529bc6..c2e8c0d26ec 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_output_true-filebeat.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_output_true-filebeat.yml @@ -12,6 +12,10 @@ filebeat: type: logs name: generic namespace: default + - add_fields: + target: "event" + fields: + dataset: generic output: elasticsearch: enabled: true diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_true-filebeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_true-filebeat.yml index 080303e6d19..1da1c701d81 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_true-filebeat.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/enabled_true-filebeat.yml @@ -13,6 +13,10 @@ filebeat: type: logs name: generic namespace: default + - add_fields: + target: "event" + fields: + dataset: generic output: elasticsearch: hosts: diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-filebeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-filebeat.yml index 25b7af4e40a..0fb1a4356b5 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-filebeat.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-filebeat.yml @@ -14,6 +14,10 @@ filebeat: type: logs name: generic namespace: default + - add_fields: + target: "event" + fields: + dataset: generic - type: log paths: - /var/log/hello3.log @@ -28,6 +32,10 @@ filebeat: type: testtype name: generic namespace: default + - add_fields: + target: "event" + fields: + dataset: generic output: elasticsearch: hosts: diff --git a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-metricbeat.yml b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-metricbeat.yml index 2e5e070dfb1..67a3815e4a7 100644 --- a/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-metricbeat.yml +++ b/x-pack/elastic-agent/pkg/agent/program/testdata/single_config-metricbeat.yml @@ -11,6 +11,10 @@ metricbeat: type: metrics name: docker.status namespace: default + - add_fields: + target: "event" + fields: + dataset: docker.status - module: docker metricsets: [info] index: metrics-generic-default @@ -22,6 +26,10 @@ metricbeat: type: metrics name: generic namespace: default + - add_fields: + target: "event" + fields: + dataset: generic - module: apache metricsets: [info] index: metrics-generic-testing @@ -36,6 +44,10 @@ metricbeat: type: metrics name: generic namespace: testing + - add_fields: + target: "event" + fields: + dataset: generic output: elasticsearch: diff --git a/x-pack/elastic-agent/pkg/agent/transpiler/rules.go b/x-pack/elastic-agent/pkg/agent/transpiler/rules.go index 69dd59a459f..fe98386a150 100644 --- a/x-pack/elastic-agent/pkg/agent/transpiler/rules.go +++ b/x-pack/elastic-agent/pkg/agent/transpiler/rules.go @@ -639,9 +639,16 @@ func (r *InjectStreamProcessorRule) Apply(ast *AST) error { &Key{name: "namespace", value: &StrVal{value: namespace}}, &Key{name: "name", value: &StrVal{value: dataset}}, }}}) - addFieldsMap := &Dict{value: []Node{&Key{"add_fields", processorMap}}} processorsList.value = mergeStrategy(r.OnConflict).InjectItem(processorsList.value, addFieldsMap) + + processorMap = &Dict{value: make([]Node, 0)} + processorMap.value = append(processorMap.value, &Key{name: "target", value: &StrVal{value: "event"}}) + processorMap.value = append(processorMap.value, &Key{name: "fields", value: &Dict{value: []Node{ + &Key{name: "dataset", value: &StrVal{value: dataset}}, + }}}) + addFieldsMap = &Dict{value: []Node{&Key{"add_fields", processorMap}}} + processorsList.value = mergeStrategy(r.OnConflict).InjectItem(processorsList.value, addFieldsMap) } } diff --git a/x-pack/elastic-agent/pkg/artifact/install/zip/zip_installer.go b/x-pack/elastic-agent/pkg/artifact/install/zip/zip_installer.go index 451cd701627..ffc90f2dce8 100644 --- a/x-pack/elastic-agent/pkg/artifact/install/zip/zip_installer.go +++ b/x-pack/elastic-agent/pkg/artifact/install/zip/zip_installer.go @@ -7,11 +7,12 @@ package zip import ( "archive/zip" "context" - "fmt" + "io" "os" - "os/exec" "path/filepath" + "github.com/hashicorp/go-multierror" + "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/agent/errors" "github.com/elastic/beats/v7/x-pack/elastic-agent/pkg/artifact" ) @@ -47,7 +48,7 @@ func (i *Installer) Install(_ context.Context, programName, version, installDir os.RemoveAll(installDir) } - if err := i.unzip(artifactPath, programName, version); err != nil { + if err := i.unzip(artifactPath); err != nil { return err } @@ -67,14 +68,59 @@ func (i *Installer) Install(_ context.Context, programName, version, installDir return nil } -func (i *Installer) unzip(artifactPath, programName, version string) error { - if _, err := os.Stat(artifactPath); err != nil { - return errors.New(fmt.Sprintf("artifact for '%s' version '%s' could not be found at '%s'", programName, version, artifactPath), errors.TypeFilesystem, errors.M(errors.MetaKeyPath, artifactPath)) +func (i *Installer) unzip(artifactPath string) error { + r, err := zip.OpenReader(artifactPath) + if err != nil { + return err + } + defer r.Close() + + if err := os.MkdirAll(i.config.InstallPath, 0755); err != nil && !os.IsExist(err) { + // failed to create install dir + return err + } + + unpackFile := func(f *zip.File) (err error) { + rc, err := f.Open() + if err != nil { + return err + } + defer func() { + if cerr := rc.Close(); cerr != nil { + err = multierror.Append(err, cerr) + } + }() + + path := filepath.Join(i.config.InstallPath, f.Name) + + if f.FileInfo().IsDir() { + os.MkdirAll(path, f.Mode()) + } else { + os.MkdirAll(filepath.Dir(path), f.Mode()) + f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode()) + if err != nil { + return err + } + defer func() { + if cerr := f.Close(); cerr != nil { + err = multierror.Append(err, cerr) + } + }() + + if _, err = io.Copy(f, rc); err != nil { + return err + } + } + return nil } - powershellArg := fmt.Sprintf("Expand-Archive -LiteralPath \"%s\" -DestinationPath \"%s\"", artifactPath, i.config.InstallPath) - installCmd := exec.Command("powershell", "-command", powershellArg) - return installCmd.Run() + for _, f := range r.File { + if err := unpackFile(f); err != nil { + return err + } + } + + return nil } // retrieves root directory from zip archive diff --git a/x-pack/elastic-agent/pkg/config/config.go b/x-pack/elastic-agent/pkg/config/config.go index e8845840137..a7620a7f630 100644 --- a/x-pack/elastic-agent/pkg/config/config.go +++ b/x-pack/elastic-agent/pkg/config/config.go @@ -49,6 +49,10 @@ func NewConfigFrom(from interface{}) (*Config, error) { } if in, ok := from.(io.Reader); ok { + if closer, ok := from.(io.Closer); ok { + defer closer.Close() + } + content, err := ioutil.ReadAll(in) if err != nil { return nil, err diff --git a/x-pack/elastic-agent/pkg/core/server/server.go b/x-pack/elastic-agent/pkg/core/server/server.go index 4cd5c8386ec..12885e2f012 100644 --- a/x-pack/elastic-agent/pkg/core/server/server.go +++ b/x-pack/elastic-agent/pkg/core/server/server.go @@ -526,6 +526,7 @@ func (as *ApplicationState) WriteConnInfo(w io.Writer) error { // the application times out during stop and ErrApplication func (as *ApplicationState) Stop(timeout time.Duration) error { as.checkinLock.Lock() + wasConn := as.checkinDone != nil cfgIdx := as.statusConfigIdx as.expected = proto.StateExpected_STOPPING as.checkinLock.Unlock() @@ -548,8 +549,10 @@ func (as *ApplicationState) Stop(timeout time.Duration) error { s := as.status doneChan := as.checkinDone as.checkinLock.RUnlock() - if s == proto.StateObserved_STOPPING && doneChan == nil { - // sent stopping and now is disconnected (so its stopped) + if (wasConn && doneChan == nil) || (!wasConn && s == proto.StateObserved_STOPPING && doneChan == nil) { + // either occurred + // * client was connected then disconnected on stop + // * client was not connected; connected; received stopping; then disconnected as.Destroy() return nil } diff --git a/x-pack/elastic-agent/pkg/core/server/server_test.go b/x-pack/elastic-agent/pkg/core/server/server_test.go index 608be5641f9..424efb14311 100644 --- a/x-pack/elastic-agent/pkg/core/server/server_test.go +++ b/x-pack/elastic-agent/pkg/core/server/server_test.go @@ -416,6 +416,57 @@ func TestServer_Stop(t *testing.T) { assert.NoError(t, stopErr) } +func TestServer_StopJustDisconnect(t *testing.T) { + initConfig := "initial_config" + app := &StubApp{} + srv := createAndStartServer(t, &StubHandler{}) + defer srv.Stop() + as, err := srv.Register(app, initConfig) + require.NoError(t, err) + cImpl := &StubClientImpl{} + c := newClientFromApplicationState(t, as, cImpl) + require.NoError(t, c.Start(context.Background())) + defer c.Stop() + + // clients should get initial check-ins then set as healthy + require.NoError(t, waitFor(func() error { + if cImpl.Config() != initConfig { + return fmt.Errorf("client never got intial config") + } + return nil + })) + c.Status(proto.StateObserved_HEALTHY, "Running", nil) + assert.NoError(t, waitFor(func() error { + if app.Status() != proto.StateObserved_HEALTHY { + return fmt.Errorf("server never updated currect application state") + } + return nil + })) + + // send stop to the client + done := make(chan bool) + var stopErr error + go func() { + stopErr = as.Stop(time.Second * 5) + close(done) + }() + + // process of testing the flow + // 1. server sends stop + // 2. client disconnects + require.NoError(t, waitFor(func() error { + if cImpl.Stop() == 0 { + return fmt.Errorf("client never got expected stop") + } + return nil + })) + c.Stop() + <-done + + // no error on stop + assert.NoError(t, stopErr) +} + func TestServer_StopTimeout(t *testing.T) { initConfig := "initial_config" app := &StubApp{} diff --git a/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc b/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc index 2a949b01d26..18d60e9e145 100644 --- a/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc +++ b/x-pack/filebeat/docs/inputs/input-http-endpoint.asciidoc @@ -41,6 +41,17 @@ Custom response example: prefix: "json" ---- +Disable Content-Type checks +["source","yaml",subs="attributes"] +---- +{beatname_lc}.inputs: +- type: http_endpoint + enabled: true + listen_address: 192.168.1.1 + content_type: "" + prefix: "json" +---- + Basic auth and SSL example: ["source","yaml",subs="attributes"] ---- @@ -80,6 +91,12 @@ If `basic_auth` is enabled, this is the username used for authentication against If `basic_auth` is eanbled, this is the password used for authentication against the HTTP listener. Requires `username` to also be set. +[float] +==== `content_type` + +By default the input expects the incoming POST to include a Content-Type of `application/json` to try to enforce the incoming data to be valid JSON. +In certain scenarios when the source of the request is not able to do that, it can be overwritten with another value or set to null + [float] ==== `response_code` diff --git a/x-pack/filebeat/filebeat.reference.yml b/x-pack/filebeat/filebeat.reference.yml index fb70bff9132..f5d235404bf 100644 --- a/x-pack/filebeat/filebeat.reference.yml +++ b/x-pack/filebeat/filebeat.reference.yml @@ -600,25 +600,6 @@ filebeat.modules: # "+02:00" for GMT+02:00 # var.tz_offset: local - firepass: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9509 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local - #------------------------------- Fortinet Module ------------------------------- - module: fortinet firewall: diff --git a/x-pack/filebeat/input/http_endpoint/config.go b/x-pack/filebeat/input/http_endpoint/config.go index 41e97489cec..acd549e77ee 100644 --- a/x-pack/filebeat/input/http_endpoint/config.go +++ b/x-pack/filebeat/input/http_endpoint/config.go @@ -23,6 +23,7 @@ type config struct { ListenPort string `config:"listen_port"` URL string `config:"url"` Prefix string `config:"prefix"` + ContentType string `config:"content_type"` } func defaultConfig() config { @@ -36,6 +37,7 @@ func defaultConfig() config { ListenPort: "8000", URL: "/", Prefix: "json", + ContentType: "application/json", } } diff --git a/x-pack/filebeat/input/http_endpoint/input.go b/x-pack/filebeat/input/http_endpoint/input.go index c79fd2cba22..e21fb4325b2 100644 --- a/x-pack/filebeat/input/http_endpoint/input.go +++ b/x-pack/filebeat/input/http_endpoint/input.go @@ -87,7 +87,7 @@ func (e *httpEndpoint) Run(ctx v2.Context, publisher stateless.Publisher) error username: e.config.Username, password: e.config.Password, method: http.MethodPost, - contentType: "application/json", + contentType: e.config.ContentType, } handler := &httpHandler{ diff --git a/x-pack/filebeat/input/s3/input.go b/x-pack/filebeat/input/s3/input.go index e74800ae127..15f9384b7cf 100644 --- a/x-pack/filebeat/input/s3/input.go +++ b/x-pack/filebeat/input/s3/input.go @@ -455,17 +455,10 @@ func (p *s3Input) createEventsFromS3Info(svc s3iface.ClientAPI, info s3Info, s3C gzipReader.Close() } - // Check if expand_event_list_from_field is given with document content-type = "application/json" - if resp.ContentType != nil && *resp.ContentType == "application/json" && p.config.ExpandEventListFromField == "" { - err := errors.New("expand_event_list_from_field parameter is missing in config for application/json content-type file") - p.logger.Error(err) - return err - } - - // Decode JSON documents when expand_event_list_from_field is given in config - if p.config.ExpandEventListFromField != "" { + // Decode JSON documents when content-type is "application/json" or expand_event_list_from_field is given in config + if resp.ContentType != nil && *resp.ContentType == "application/json" || p.config.ExpandEventListFromField != "" { decoder := json.NewDecoder(reader) - err := p.decodeJSONWithKey(decoder, objectHash, info, s3Ctx) + err := p.decodeJSON(decoder, objectHash, info, s3Ctx) if err != nil { err = errors.Wrapf(err, "decodeJSONWithKey failed for '%s' from S3 bucket '%s'", info.key, info.name) p.logger.Error(err) @@ -512,33 +505,20 @@ func (p *s3Input) createEventsFromS3Info(svc s3iface.ClientAPI, info s3Info, s3C return nil } -func (p *s3Input) decodeJSONWithKey(decoder *json.Decoder, objectHash string, s3Info s3Info, s3Ctx *s3Context) error { +func (p *s3Input) decodeJSON(decoder *json.Decoder, objectHash string, s3Info s3Info, s3Ctx *s3Context) error { offset := 0 for { - var jsonFields map[string][]interface{} + var jsonFields interface{} err := decoder.Decode(&jsonFields) if jsonFields == nil { return nil } if err == io.EOF { - // create event for last line - // get logs from expand_event_list_from_field - textValues, ok := jsonFields[p.config.ExpandEventListFromField] - if !ok { - err = errors.Wrapf(err, "key '%s' not found", p.config.ExpandEventListFromField) - p.logger.Error(err) + offset, err = p.jsonFieldsType(jsonFields, offset, objectHash, s3Info, s3Ctx) + if err != nil { return err } - - for _, v := range textValues { - err := p.convertJSONToEvent(v, offset, objectHash, s3Info, s3Ctx) - if err != nil { - err = errors.Wrapf(err, "convertJSONToEvent failed for '%s' from S3 bucket '%s'", s3Info.key, s3Info.name) - p.logger.Error(err) - return err - } - } } else if err != nil { // decode json failed, skip this log file err = errors.Wrapf(err, "decode json failed for '%s' from S3 bucket '%s', skipping this file", s3Info.key, s3Info.name) @@ -546,25 +526,46 @@ func (p *s3Input) decodeJSONWithKey(decoder *json.Decoder, objectHash string, s3 return nil } - textValues, ok := jsonFields[p.config.ExpandEventListFromField] - if !ok { - err = errors.Wrapf(err, "Key '%s' not found", p.config.ExpandEventListFromField) - p.logger.Error(err) + offset, err = p.jsonFieldsType(jsonFields, offset, objectHash, s3Info, s3Ctx) + if err != nil { return err } + } +} - for _, v := range textValues { - err := p.convertJSONToEvent(v, offset, objectHash, s3Info, s3Ctx) - if err != nil { - err = errors.Wrapf(err, "Key '%s' not found", p.config.ExpandEventListFromField) +func (p *s3Input) jsonFieldsType(jsonFields interface{}, offset int, objectHash string, s3Info s3Info, s3Ctx *s3Context) (int, error) { + switch f := jsonFields.(type) { + case map[string][]interface{}: + if p.config.ExpandEventListFromField != "" { + textValues, ok := f[p.config.ExpandEventListFromField] + if !ok { + err := errors.Errorf("key '%s' not found", p.config.ExpandEventListFromField) p.logger.Error(err) - return err + return offset, err + } + for _, v := range textValues { + offset, err := p.convertJSONToEvent(v, offset, objectHash, s3Info, s3Ctx) + if err != nil { + err = errors.Wrapf(err, "convertJSONToEvent failed for '%s' from S3 bucket '%s'", s3Info.key, s3Info.name) + p.logger.Error(err) + return offset, err + } } + return offset, nil + } + case map[string]interface{}: + offset, err := p.convertJSONToEvent(f, offset, objectHash, s3Info, s3Ctx) + if err != nil { + err = errors.Wrapf(err, "convertJSONToEvent failed for '%s' from S3 bucket '%s'", s3Info.key, s3Info.name) + p.logger.Error(err) + return offset, err } + return offset, nil } + return offset, nil } -func (p *s3Input) convertJSONToEvent(jsonFields interface{}, offset int, objectHash string, s3Info s3Info, s3Ctx *s3Context) error { +func (p *s3Input) convertJSONToEvent(jsonFields interface{}, offset int, objectHash string, s3Info s3Info, s3Ctx *s3Context) (int, error) { vJSON, err := json.Marshal(jsonFields) logOriginal := string(vJSON) log := trimLogDelimiter(logOriginal) @@ -575,9 +576,9 @@ func (p *s3Input) convertJSONToEvent(jsonFields interface{}, offset int, objectH if err != nil { err = errors.Wrap(err, "forwardEvent failed") p.logger.Error(err) - return err + return offset, err } - return nil + return offset, nil } func (p *s3Input) forwardEvent(event beat.Event) error { diff --git a/x-pack/filebeat/module/cisco/_meta/fields.yml b/x-pack/filebeat/module/cisco/_meta/fields.yml index 8209de0cd6f..fbe1e33d2c8 100644 --- a/x-pack/filebeat/module/cisco/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/_meta/fields.yml @@ -3,8 +3,4 @@ description: > Module for handling Cisco network device logs. fields: - - name: cisco - type: group - description: > - Fields from Cisco logs. - fields: + diff --git a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml index 5915c246ff5..678615265fa 100644 --- a/x-pack/filebeat/module/cisco/asa/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/asa/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: asa +- name: cisco.asa type: group description: > Fields for Cisco ASA Firewall. diff --git a/x-pack/filebeat/module/cisco/fields.go b/x-pack/filebeat/module/cisco/fields.go index a644fa716ac..695aec368e4 100644 --- a/x-pack/filebeat/module/cisco/fields.go +++ b/x-pack/filebeat/module/cisco/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCisco returns asset data. // This is the base64 encoded gzipped contents of module/cisco. func AssetCisco() string { - return "eJzsvW1zIzeSIPx9fgUeRzznbofMttsve+Ob3QutpB7rpl+0re723sVEVICoJAmrCqgGUKToX3+BBKpYrEKREgVQ6j3Phwm3SCYSiUQi3/NbcgPrXwjjmsm/EGK4KeAXcub/mYNmileGS/EL+be/EELIG5nXBZCZVGRBRV5wMXdfJwLMSqobksOSMyCFnOvJXwiZcShy/Qv++FsiaAmb5ez/zLqCX8hcybryfwmsav/3CgGRmZKlX7FZwv6vu0x3Kapp+7fQYjsW7C4qlV/z9PqUvOIKVrQoJp2v9tffYFCC1nQOGc+3IDtUbmC9kmr7kx3oEPJhAR1MPGzCcxCGzzioDU4BVHQ9m/HbO6IBt7SsLDdo0JpLcXcc3+HfaeHXI3RmQJH/3yJ8V0RlrRhkXBhQM8ogBuWuESZpYeKhmgWQWSFXRCoCSxBmJ1o5aMMFtfDj4na+AfwgBFVdQGb/MwZSb2kJRM4QhVPGQGtyJoVRsiCvuTa4GDELakhJDVtATsyC6ztg6U+31qBS4GrhOry4xj+49Tw574Rh96CPhmZn0fvgWtKqgjxrrkwVwLP3x70CxigqdEEN5A3tLq8IzXMFWt8Dl4XU5s5Um9G6MBmK0V/IjBYaHoqzXf4e2FZShbAtpJg/FBML+i6YbMmXyAfZ5a77nWYXq8c60i72dz3XLt4pDreL094TNgsF1GQFLKGIowdYeAThobQoabGiCsgLMpVGgLGYzmacTcg7gTJnCWr9bSFXJ8T+Xw9cKXNQ1MAJWfD5wj42+HX7j7tsi1EDc6nWMXZ25mG1z9/4zl7ZR7FRU5Zc1frEf6e/P6Pk71ScEDBs536YFAKYu4BR9LWPgn+uuwoabovim74TE87KKrOLBrDQiz4778Th8uzNFf5y/4JM5rEWtKDuSuuRfaYRK5+u3nbWJltrh3QBWmUKmFS5vh8iD9DwqdZ8LiAn56dXpL94g9jM5FFNG2vWVHIFqhEu5zADoeGJ2DuvPpx/WfaORfhPe+dPe+dPe+eLtnfIRw3k4uzafzQR1Ex49acZdKAZFCLnE7aPWnQ7n9+DBf60nfbjtM0WfTr/aVn9aVn9aVltLbjXstLAasVNiGnk9Hdg4wv2lntPV17TR+Jee7jkwr7Su51HX7h1lxLFO1l3XOqo1t3lu+utgBnZacRR1H+zgt/jybqjHmgfV6ddW+g7eWhGGS/CfLzTgru+OLvfiTQLESPJasHZwolHb20qmIHS5NlsIxRPyPXbN1cn5Pp/X58QKqyK0wM7k8osnk/I6QY4o4JMgVCyoCpHwetipSeEkkpJI5ksTggKsdKFWeWsL22ter/WBkqi5cxYIBNyaUgOQhrYUv+9jGe01i3t3U/7L5Tb5mTAgj6iO2kttEnPLpBLUCvFjX2uVA0Dfh0e0p7Ls+OguizUhJo3puNqAQrwM/+EkQXVZAogiJxqUEvIh/tTW7HhfZsZXr6dWxm/W4i1oNvKyvjqY+uHlujocXreO+ZdK+y6Vb1T+WCttBtYWyuu1tYIloTRytSe/oqu2ouD1h6TJWi7aWk/74Em5LWck3OwT5oKb8TB4n2kDt1OAxcNTavnssiAPcKJqe9J7m48k8LYB9neDy60ocI0aOggjoaXhyCYU9P/YIidt+7tEoQaL05p41UjC240oeQtmN+4EfYZ8Kc/GbBGu1m9kHWREwFLUFaCNnxXUaWBvAFDLWrU5YZslnr2Ws71iyvKbsDo5wPw51wBM8X6xHkeuEXrPThh4ThcdNCcBAk5tDruRsmB8dSj5DlUChiaShaTHGbcKgxSFIiWodPCqu9VGKtSz/tKdlwO9Gf8xt/zy/PvyZIWtb/xrUruvgW3lBmre7jzUoODwN1xVNcct+D37HFUVBnO6oIq/L0/2MkoZwxAH8QpIc4YQB7nlNEjWR73TF7+eSa7z8SumuZAHnZ95fT3DDfSP5Yng92SHiL0kqOmwOm+TxE3S7ZU9/9hmGlDDZQgzFNEjtY5NxkraO8OPxH0QJieb+6JILYY+JueCGJcHIZYWo2pkRxPl9NyoIdIj7Rkm4GLFcSyoUb0mpCd2fli4xaw2Az0kIGS8DAroqeHDKDvsSLGqTgIuR6FiqLjVQmSz5FrsM1I5CMBCt6bfOwYanU9iDY0+/d/Wm8btWdSMPs4UCOfumU7Im6WPK047FL3zC7DZ5zR7n1+Lecu0tDkstQiB4XOUvCCarD1Gb+FnGgwFsjWj7fX0OMGS3MIA9gPNljaQxiAvtehDD2B8f1LhzHmYF/3oMn9aDAIpifhy1+lNl0RWfQ5UoPIuZg3H+oQ23R8SF8OffkhDDb40ShhL6+WPzY5FqPXvU/cwe6N/FKJu/w5NXl//n+XvIN4cxLZ0JcLzpHW9ZblhJI5X4JonWRfriJgSXSY/yKtBZI/ReXvy4hojDo0ZLXOFHxOcNbd4CEeMO57ukYqX7ilyRVepBPvzTaUfFhXQBgdSpApEOBmAYp8vBTm+5+JVORVIan54SWZUo1c1ATIZnxeK1T99uz7EHX3C943hkHTGZ8R/AvBFLijWMfNyl+8g0GqFVV5MqWuI9E62+5S8vLq05a+R4mCgvaPlDS5Le4R9Whjoj04TvX1//bfUvE5x6oL95ttbWUPHVLpXzsSIy6vPv0cIEE4J4dEIEGL0ZDKMV6fDaMOFcdDX58F0BzUUWLXv+JS5PL8IVFSh283WIpgDouVPmknW8Gy5H422ihalxtFCy+KNV3OZFEAM1J9iQLYUu8Rcm4sz3FNmCMd5BbTLUX1teyrLWQHoZ+gxVey6VNRVUupMdmtlIJM14NDI0TB5xo0lj9pXlbF2p+T/TIm6gJlC6J5DuTZd8QsVE1e/vTTc7KimmgA0a6ygxJPQnm9AyV0JYWGdKRgXwxXMFmLtiRO1OXUCT17lXUQAnlGp3IJHWJwEcysbMSbNgpoOXp/2BfDNo9MKsh53dfTYhDqq5Dm2DoW+Ixw88/65Xff/1U7kf6iQgHaIP3PwW7+ae3B13QNirwkF4LRSteFi6xYk/Jecj0E/YHBj0BuZWiVH16Sf7XbPSE//ED+lTCprL6Mu/CLnpD/Vpj/Yb/INdkmylfBIxQyD5QLPxFbV6wgY7QoppTdpNWAHXJNwQA1zq6wRASRV5ILg6aJgXCCMzJHBkrJRPlpG31QV8A4LRBjxFQbqaxmLdZO67AfLGnBc8cYIaQImcla5PaFKQCR52LulaO9yYvbN2IAOUYs0F+HHWGjkVNYF5LmT+Wd8+gQzf8AUoJRnAWsDm8Kd7+MtrB77hshbJ99ajYarZw1xzYhv8qVPZqhzckFkcoaY0aSG4BqD9GexIv3hRBNSSwGW/I8y1NFXS8ayTMHgfWyGsuqamdHe7twyZWpaWGN9i3fuwi4OHjJrdmNsXIkhtuFv+qX50RZaa3RoYJEo2oOpv3aXkpolSjp6dEp0VTr76KEShIKGgr+y/PG9/oeSmmAXHt+ZwrwoZ2uxwQlwT4jLhDzBQRe/EqZrgqeMrPhSZvzmg/U/iehm1mZm5Df8dbZN6Ap0/Rc11gt/gn5rxFhdOJlxotHiNHbVa1xdHV2euV1X1+Uy8tKqr7GS/CJ/OLSIOqn4f7wDRrQEEfTPeRK3Tbl681PNga703PQMp+Qlz/9TFZI9xKoILQowr4CdOqjmrTxH5EVKHBgscEH1YZI0SsX2Sbio6uJXzYRA3c1RdjW0+43qXIkHGY1AVsIWcj5uh+Im3E10GIJ+YmwBVWUGUdEe6nXiD86zQWphc/pKbZ85qMVtbELul2gPmUQYUfsEi2K0iqZUjRhBEVXozINJWtPraQMNVYXoxDe5yAZq1UDURsqcqpyIqQqacH/COX3SlUG6ZP7LIeDSSTr6eBJuheRNli3yLwo+AxwxwEDXwOTIh9RsDfHnWmT0s+yY0NcMFlWBZggA4w6USkq8Ebxnhjs1Jsp80iMfG3XDrLzGCtvc+Yo+5VSmEWkY9rUp8bKedlkOeWPRPgLkacguwX5hxSpuy3sEIt29UbFdOm1H/oUHoioZDf6lBi4Nf7ykSUo3SmnyHflgQXO96HMtgYaa5ubMj0mVQ55unfQJ9n4Z0q3KzY6RpNp036xG18fvlZKlhOEWmNRvmYgqOLSqfVlXRj+reGgCK2qoql+2fSyKamg81BpLiEFhne22vo0raQIN19rIlfCRcYMLau+Z9BjjJ03lRwmH3GjCVtwa93IHPSEvKm1QTOpC9TeSmpG8nKpgQMPaacAm80s3ks4hiaEh9ws6GiHraBAMMcQ1KrWOV/y3Go2yA9hQXbdCLIPPeKFN3lbcXW0HW7O08WCbi0nclOsm75XRqK+ZpFybRl3+kYjHvqoC+fESuNWnk0GS7bpZLKOLYHKgSL3UIgt/WNfFdQgP9dQH42VLHc7LtrIxxXVBJHIR/gGkfs+NlEjKgVbBE0g0+alSfD6zssUuFZZAlSrLIX2XMUURdtAX0aHmkBX6rwij2NC9szH4BszeC7v9eYcKjb3ybVDggWbB6LXDSG2I4iygRIfQ7HWdZE67DRiRcnaMFnCC4dDa7xgVvagASaxfOFIsGVAjjAILGHQCPdoG2tW90WAncjOLpdP2uLFQe9A90q3lS4WGsadKmB8xjeGT1i79U3cR3jK68rps5kCB9C6GHm+KZhoXFS5D7IE8fZm87EO4dO2ld61BKUi7659aizXTUJA369GfF/Y3ugEslUlqSupeUTBcSfeQnNa5K7DFKbyN3d3tAtPXZhhq+zHEkWiLkFxdl9ZFNzbEarYdmysW8nW3gwnltz9HmxtCSKXyifM7tyZnP7+CN1rmtBuoKF5F7H0teADclsJuhsxJ+lT9qr7anghfdW/FzPey7WgbW6xkIZQHBBhkQwn0BZynjWJKo8i1BtGvLdQP0bPlC3Z93dMt8Ku1Sg+woq/LDhbp749O+TCFSLgm2uLYj0il4NjlhIT8H1dACIWFqdSGLhNrbG2CF0K56/b9EOlea7t/+GjSosGoVADmD2PM1tQMYdMwCq1LBgLXMKqE+pHJcQYxae1gY6EGOboa4e61da7z19YdOiqPzvs4VYLK3iytpW7iIaGYD+/yCHT1d8Cxi1WgFmCNQ0H9SbnSy1BTcg1uEOpNagJnQO28vaZ7jOpGhwGsBswTm9nbtyW+32nb4VUZKrkyn7W/NXrms7sGu0nfZlfUWViu+lawLE9Kv5OyUF16LHulCzyVm1MdaVkBT6gmOotPhWEFqBMm12kNov6v7nwlhcfnSYAmIQUUJhzIqT4VkEFaMnsyn5As+GYTw6rlbIXprVX8CRRj3vBXYStCf8MdrbiZuGVZSfryTkuOMVqE0Gk+HYu7X/veAlQSckCimPCfdNOMPAFImCRlDNipYPhoCfkeiNT+oMNupVVaTA+c+V8tbZGjCsZdck2uRe/nvCUsKLWpmFI/4/BMeFPuLYn6WuivX/DKr746bgKdHTtx92wsEXv2jKlU8q+3md4WSzPEQtCtZaMo7/UnkbQnsQDe81v4BdCSbVYa85oQXKub05IpXAmCg4R+zqsKFNFD6m9vOdD7+psFC3BgNKkohq7eGls5OB6ETBZllaKya2g/bC0ZmseGhk+Te49eCyNr3OGCR4mJ76ZLKt6eAcTHBslKy5yufL5tEwKBpU5aTMpRokx2OasLoo1+VzTwjk/c1lSLrzUEJ2FCjnydHW9nrHUpR1btyrhay5uIPe1QE0iOtXonfIGiv3kqxa1Cc93HVwx6AqRVNR1Jzs5t0QfgQa9d9ePhde7ynteyfWwXU8bdAZV8v5gp9QuVr8mYuv4f7em/UNkTXvGi/R3vN3yK1ytvcYK8poBaSJHEHa3aVCcFlngNU32iFzjko3a3H8fOw+gfWFG/QLAbvRBLQdieIz96vahW1C9aG+oVQsDVYY1W7jM36bGpi0zPGsg9VqE2Y20y0y0YvZX7b+HlabEynNBOObc1YIVQJX9EzbC26DmCwg3Q/BcYef+6IMTfvWwz9OTfrGYLKfNJF0523qwfNmousfrhaNej+3p62ojiMC4x+84AdLAlThzq7uejOOeUmfBJXeNt+RzXubLc/LWSZpnvnEDcdP2fNGvxe15WK92DujH8OV33M+X50hSX/LWiomh92A7IufSAN0WJo6JrCxYcR02Upd6nbKX/XZU1xdoO3Vhpx97ZCxy4kt3tpmRe3m+V5ON5Z/bo8laxF6KfKPRTsiZq8/0/U4L98FubRYRVNvf+P4r746b1qat3JSmfYxqUYB2lJHuQVlJsqSK02kxqAJ0TRm4IFVBRwSBBqGT9kfZOtCuqupWnlhJZTWMpr6Q23O+fnF51dehiW8Z6zwKY3XZBw4UvHMt5CbS4pAkl8KQaz4XFIXFCItWUqVsXvv1QH5ZJr1qdDeJXR3xPy0i3bHTlstyGWCct+8+EC5YUedgxZkfZOtG4D+7aAYYXzmHiAOL0nsS9otgZO7osU10Tm2eljBmXN9YlfsAvO5RitdxY771T8N7rm92hFyN4vM5qHQj7MIk+9SNBXgc3IhmBXohi9xyj7PVRyaNboXej+BZGMbevVR+9t7pGM/bZhyX5+EykjtH55ksq+zIeVd4Kj73Cse4Ov+erqffWnSkwPrUmZvNnddszErzaukjZY11MW+lpVTYecDK9Qa/kSlxfhD5oyiAw676M5x97h4iu4mR1sjPrBCl5A1lTT/lsHJrRdBR7Rgpvm0UVLVbCjlbM/pQawVUR88N1oaaOpbi3PqjKC8ezeywi0/lLeH5i/H3y76s9TEwtBh9HDQ+dnfBYhG+us07lnj63oDJz4dz9w55zriQdawYZ6eORM+j3ykrSWM6HQYe2R8jA07dmXGLJU6Lwso9omvGQOtZXZALuz5hMgdtWaJp9hu2LLjI4TYyAQquzWGa5wNlCy6MpphqkJiCwvhmSRUvMIMn4MFz8XcxJxSJ+K39bXBnIgEfyqlrLvRIGrFfnTxr8zkrULryRbdOwgxI5lWETUJ80+Hp+UiRoXNzDd/j1AklTvlqk7y8r8p9235IudAkB0N5EXAyTGVtOr8b2Zosjp6b2XhsaZvHhniMP6QGyqpIls1zSnKYUR8C8p0vmxi+z9a0WvESVEHXWMhlpH9cybPAjbQfoNXtfw2zpgrc+eq14abGxowkuLGNbTBs2PTQ6xo1itXx7zAaG9MEsorJsrT3KQ0bnTnohHeSfSsllzx3/rOmi1wJejQRKpfs8EDj/b1lr3ix0RpZNy8vrBrcVpj09Diyvlk9raz/XU4P9DsdvL3/Jac+ABO+XRVP1zj3HBOK3clfX12Sy4FC1UUjWddaX12yG4OIhV1tNew8qiF9H3+Yz60OK/dORGRTmaeu+BpU3PWVDo8LsbiMqEeL+N0SXMjgCJXnHRewLx12CbRtPITPed6GckaceGVsq3FQBh7h5Y+n5LX7ruqUz1Qz3fvqo+ue0wSiMFnjFljd9SK41K8phMpbmy5MuxI3juAICXrF822HSFtdSZeUF3QYyCCtK5xgfeUMlBqZtODu0CG+/nhxN2+slL4BlAvADrbk0w00n09GJCIvs2md5+vo/hleZlHrgDpwaw2HNTrf6aWKD1FxGbHLQa/ELtP1MQoSuO5mr7qeq7TOuWkr6zZ90TxGocF2m4oNJ0o24YXdm3RZYrEpuDyaVX726YI887USn+rC6spTXmABB+aBXdxWUttvPiffDh0Noh+FuRFyJbYMIQ2sxmYWy23oI5M2GT2CC66fFnrWVLm/9aVJr2FO2Zp8HDXXCj5V9DGK8v3CWyTmgpSUi5miJexMx6iowqm96fskbCmXV7gseStzlxy9aQvYyToLIEX2aF+YKmAJkcpC2u4b9xZW5NdaoCn5RuZQkGdcLCffnBAu2QmZ2v8D+39U0GKtuZ58E44vGlZls4IOJufH1qG2NfyzK4KLoq8L5eS6GX4lZzsbNRiZFFP316nHs2mDoEFZRg4itCzjyt0eZp/e/EYVkA8uAfibbz69+e30/cU337ic2yVVlI/y5Eqqm5gly3sv2G/Ngt0I26gTjIrYSoSv2YnbpaR9Diizz8U6gQkzkwqE5iymAOm4khJgXMb3ggTiA7GAZivKh8OJH+wdwN7nsYHa6xO7RF3X00SXwkxzbVTsynes107mEOu+pdHe0abmI52T9NBil81gsIFK44tNNnUvvt7FgpjxUUdTs9VkjthDtxrsRhTYZr+8JyyUD+4neH/HhUXe6//vh6tuVGY3+e9RWCzv+Og9IjuRfBTmaOK4u/CT8ghJW1sn27FLn5k2o73JssM+mc/R7Tbg3P2R6aZlNT9GPAyLvmaUF5bWTTOXKy8zLs+7tW3YicuagwbmgRYG41mFTc51ZlXEA/ZzSOI1plv76qMzWZa16HuiBtiJwxo3PRS7t3Br/g5hnbrFTR+mWT8Ut2sq8n+X4ajZBjdDDT9EMjwYu+HCW8jpWleccRktS/RYFjxiv6JKDIMOTx11Lcoqk6mE8fXbN1fknfOjbpJSw4h8PmoqwfV/vCafa1AjvVvrQmQK+p060yY3dByia/K+KToLpnW1WjqL+JB2gcrYYwQs0Oogx9E+qCYQHHsw3Dz+gAZaUFUmOC0LNoF7gVYRC5BboHUebSrtFsy43a62QOfU9LXCh8KdgmCLkqpYZSUt3HVFB+OLHxx9omyQThUFZraIzgsMZnELqFrAszm2WkoAVk5/TwC1otEnYbiOU9HZC4PuGY/94PjObSVY1TM60iKjDAejxC8/sbC1iGi8dwBP59XyR3FrFtHfdyYyZlSW66h91zvQLeTDIk93ALwsaHSJITIQcy4iFkUOQafIjRbZLNMrblh0+SGyWSFXmpbxc1e6sIVZpoOeIOrCRMZFSnHCRQWqnK6jJbwPYFfsJg3wJS1S8AqvskpJI7P4ISmEvvwxQ49jfNhFsrtZyHmWpyC2BRw//42JrKS3mTGx3AbbgC1HF5DgUSi5SIQ0F+mQrgqdFdMiix0W3YL9XULg0TuDd2DH7oXYhR27qrcL+6eEsH9OCPtfEsL+7wlh/zUNbCOrgk4hhUhpocc3z0RW1gUq39N1gneyAV7dJNBLyrrg87JKo31bLZMW89hJSB4yT6GUaPjM4vtGRKZdQmKCE9SKpbEmLeA01qRe67pKMIuUibasOompaqSxpgfcJhAhRhprmKWCjWZNEuC14LeCCqmBJWDC5c+WKokeheXPsjILoHkCt5osq4wVCXzYFnCCIAnCVdO1ie8WtZB1EshVnSWIaTDFDWe0SFBApDM6B8HWEbOuurAFLdZ/QD5NgfcywzagSSC7djBpsHaJtUmgT+fV8uc0PmidTbn5a5JGY0xncWfF9QArGV1U6yTXHKECU/Gr3LTz8UebtdUBDGbh/PzxnSMOOKp9SYC7bvLxOsh1YM94ASlsGJ3NUhwin8Uszt4GnEI30BmvMEkxSyLqeLX8MdemGjTzjwRbK5YEdsFnkMKM0ehoLiHn0QpGt2FzkYZLSpnXBWgmU1DbA+fzBLJJVnpFTdSZ/x3ooQzyKIAVzLk2isb3hGxgJ9D4FFSpSK2S0VpjJ3KVSL66zHzH4gmgGwW0TKBIulKgVGinU65XC8l15ibMxoe+poomYfB8pBA2BuSlm28fGy7Xhoroc45zbaa1ijUssIEKblZQCqh1dFzj69FNTXJssDi5YRZ/2PWhnQZ2wZzTPI99B3geO6zatA5K8BbxMmNKyjJJVyILOIGZxsssTXKk73iUgszVTfT2TJWO37KUV7pSPDLQghpu6ujZZwUXEK/FzgaqjjpRp4WLxbfx3VqFdF1Ps1khoz/nLfAEKf/W5o0udSzQBBLH2tAJUI2em1DIeRLWFfMkF7iSKrYAK6f1PMU1K7lmKcRCqZMwbIo5EAIMNleKDje6DHcNoGNn/DmosdPxxGoV2wJJUlEm3QDo6JaojK8ZScXnWWAe14PhrgSo+G9WlbmhvNHBRp1MvQHrRrwmYbIEhZt+Jk5sYeDBxpYGVeYcSdHRpVrbDzO2iFXnPwANtxWPHgioQJVzRYUZ9NyNAXmVBHD8p9d1Ivv4sTcFNAJgJecZ1VXEgQFd0IrGhqqAFin0OwUM6eC6jiYCHp/IFnLcFq4dyFLlCTCO78jUCXzD2vmGE+QDaIidCOAGHicwTjR8js8AoQat0aAmMKU0nycQvLqK7WXTiqW4B4rl0RVprVioK24EwCbeiK0uzFpH76q5ZCJ2oURwWuxDgbomnbG3b+YmPls5oPEjeu1Mz9hw11X0bq11Pk2Sh16rIsFbWGtQWc5jV70nGVvRRIZSkMEwbWgZ2xu8zLjQhs4SaAZLrkwKNXxZiQStm4xUtYjpZg21RQt0FD2tjSTva0EGS7fZIwmH5X2iBc/JmYKcG3JGVe67GWps/x5Gx03OSkilsQmhCAaH6BPsb8BkQUKlOm0+BBfpKHdRVoVcw2Cw4F76zWQdran3HXnM0tD5jHDemYI53JKS9hstbGKxYl73h4EkR7LgGoczNKv7o8cGSkTXVSWVIcPGo4SsFtQQbkilYDbGCg9Iy73PEIoQ4b3V0aJAuPCd3Uf6QhdcpJ7I30HVrtbFUxMj52AWoCab7+uFrAcvGiEClqDacURGkooqDeQNGIoTwd1dpS0Jnr2Wc/3iypW9PifnfsTXCTGLwJQibAb8HvzoY0RbkLdgfuNGgA6f85CpkxBvhiO721uEi7vNaqCKLSZc8CB+OHP3CP21e+ITZ2FgMsSLgtYCZ/3Oa5zj2jRxDzdw7/Vr37Gn9O242z21Tbj9/OIRY98eRBaxpulunVdxWfIBbg3eijF3wTGmUY8IpM3gurc4oVoUIxMvsXtuwnHg2D9XgyEKPtegzY6m3YdnK9+/V75TGXAsj1vVSey+R6rNO912p+zCyWGEsbGtv2OHdv1LcOcxZ//vn29oF7s8b4QCrh3mDbQa4iXx3pOF7eMypRqIS9dusSGDW9Wekv/F4+Ar2lHwLeZSufb1QTISQjXRADjujO6eV6Wo0JQdYbzvoMO0W1qg2rthGlYrnIC2C+kKVMmdunEspDdLusEcfMkLmAMpYAkFoVrzuXAHt5nXH2Z9bMn8iPIb19/B6dNHmfRsMasF/1xDf0wiDV++Dr6HdUw8bApKo9Hw3F1IJoUAzK0gK24WY4KCkEBlSKuxKziovOjepoUlJ8qT9okq5JwzWhCLwYjpg1g8Lna41MiYxsejXbVY6zB6nXS2lexltcZ+4GnBqc4WMrlN4Iy41lzDWSqboUZWKnZH8IT7ARB3aSy2+Kb5QSysAKomp4WW1hDfum/nGCwnv/pfTMipWLf/GkA3aMtrYQjNJ0yWVW1AhcVwEje+3Vg68+yr/lngjMWtA+Hmn/XL777/q7V9zzvH0VDsqyDank+zuBGzuzpu6BoU+ZfWJ6dfeDQQufCtj13/k57nxQbnLa7feR4HJi/vk21f9wem2HUm5O27Dxd276DAOU/QX5pzzRRUVLC11Sq9elb0c0EIUuiEfHjzC7kU5oeXJ+Ty7fnFf/5CPl4K8/OP5NlqsSYCuFmAImwhtR+VJpUCZvBb3//8P/+/518HKQJmkVDG9emBMnVS0vA4Hp2Y++55za8dL142SIWveP60kO7Kpj2YH9gw7s4PfAjfnmK6sU4+cWVqWpDXp2+DyP4hBaTzZR3GGf9HCpiEaWvR/WJEKG5kv/DEI3iKb/COc5hTAyv6CCPSkbuvyGmeK/TTOi4PodM+vaysDo1zPjQWcnn25sq9SqPhsZLqI0Y/tpxKTlP1bze5vLKojHi/LA0PnAQRhYZ27XEaNppY5qZrHVdAdNClec7tl2mxCdh2ZvmH37kjMoA1CfGCS3/Dz7dZYIDKJtc6iV531yeNkrcewyupTCuSB0I3xwAbHgA36/2SVx+Z9m4/XMybx6TZ1psxwgsI2Y3H8uJ67NDypVpLxq3K6fxGAx2HWLmsqJjDpDWdmBQzPq8V5GS6RpggcswaCsuZ6sDWA4Oi0RFtObjoLEG/gyKi7t8t4YruAFBQSgOZz+yOn2cUn7S50BnNXCp+AtCVUWmAzxKwxCxBtXCR4jqk6n9SJSAqzbPGE5dOLe9b8HYfk/5qXWfCI2iwF2YBSoAhH9YVnJCPzTP2Gh1gP5CrxgE2eAnejWlqzaieIygTI6Zxg7T3i58QWhRBZaLafBET3KjCxLwlKPsGcmEk0QYfcy7Ix8tRgcIwQTaZvIousi1QWSUY+2YBK9CxM3ot2AQlLu5FjJ2Kjv72BNi60QpZAWIefVIk4myVj4Ra6IgG6lQeWnQCMIIwTCeYEUpeSbWiKh/O6SbkdI7JXopQe+NvMZduCmYFIMKqZ+SuifeNcUtDi26oziFDsGU8ZkYMdsiFz3PFtISSGyuW/IiN8BaXBRXHiOPfwUHZJIh0XJSDDW67LDeRlKW1YOdowG6/PLEjlcCwC8EyXj+4u0XsqTKc1QVVBPtFkwaJZxe3v7yWczmbhae/A8vMApIf7xayH+yC7jZ28L6weFt0T2uzAGF8svgo2rqO2Tnhbgk9bslx1D9qUKMIy9oweVxK+yXHEb6uGQOtR3DGzuOHNUc7LPEE8SJWxZ1LtSaBwoQBbscQTls4Qg9HK5UwwKcrKey7YuVWSDlsf0gGitL2rpbx+tGNvJuUuK6lWDNQcMjb/Xg/TE8f5oJobuqA/CRYXABeRHuoC6oJzWVlXxezAK6IXInNkTnCGXorhSxH8mpxJofmrkX9cZUIq9xzkVv5I5VuCUDJK14AOfWITQZkuIuzV7Qbc3dyNGG83f+jpCuMkuDaZy3EpUJojwFCxKx3fwAhXL7eta/XiE2J8YTQqUxZPRDY/BQWdMlljdolk2WlZMlHMhTh2MhdCDotsIhsRs5248bFshU7CZHsY7ildZIgAlsYRh0ucwCCgfVb/FKfbueV3dy3UbbblFnWwvTL2WJr9DmWgWfsELP+TloQvsdzEKA4a7aEBMFEv35qATcLfGpDs92IR3bCvp9oo8aDn82eDmm79Wh7erl7T169cGsl3FfQNG2NcMNL0FauO21PQQWjQSR/CtGaQuw9CGw8+MBjUHdkrUN6dz8aa/1wtz19n+loQ07vvDXvMN63w8HecMcbgXAHYfDl7u7l3t2po56du2hR9qb2n1y0XqrHESB75HgrQL5cdvxh/5HFGm1wnCO7m3xUR5UgMe/YHeTHUdkx5t4GzNgq9ViC1vNTR6/cqc0iK8Es5CNESeiWJ5k4NPzXRg8ceykpmdTrtCOq814W3l9rEdnBl4k8If85+em778iz1+enV8/JOdeGi3nN9QJyLIUP4lLIuUzeF2hXJAyzZWcOD3/M+MWRjDElE3sVd9V/2lMNYdDeGPTIRxv6fJ/rwjDtv6377Tj+EKdQzJSKUJv0TaYYLWJ1p+tt5D3Nea3dCkQqonnJC6qceLJi094hhu96uLwK77nm+TE7jXQz5T9aRmi8iL2+mJtLnq7O4lTsuusY1vCVhh3/r3cS4ScDXvCOG+iUZeRhV6ZUKRMDBiEbJLVUcyr4HzuyqkU6VrgrsQ+gdJenRsg94ypYS5qo688ruxy+Fq7Fl+tdtJXV/CvQwiwYVUAqBbksuaDBgruOeLqihoMwem96fEGPudvX9FE361o/QpWIce3V+doKrooqg82QNlvdLVaP2OzIC5u7SNQZ5KCogTyLllS2gz+s8HnVrNgGz66UXPK8bR7mv0erqvCa6oAxfPMf+6xt67RhBWezSZ4faZftkr7Xn1mPbDM4PBQzJ5fcRc8XfcV9pAVcq3TGHAp+X80TblFn6vyoUwk9D2zU6aiosVJNtJHKSXwLrQRDcbWv8VsT+62vw7sveZ4XcDwp9wbXu6ucCxxvR+4dJOea8RjH2e6VX63TYUism+jsCakKao/Mvs9SERBMrasxLz+mQh7BnrxDBp1qbctfpTbkDWULLkZMupwmkhxf9Wn9UWCmf6XAig+rH7kmZ3pCXue0Ip/wH04/yqVwdaf/HD6eZEGXYDWnAqgin2tQa4I9CHUlhYZGowoXp9r9Zvib48hL3wOPWciKN10ghdu+68s3jmezpSOgumGg97456l0xxSlPaR1mfR5vWktvNTGytqF/eLkmqhYiaMfqk/blcZFn10ZqpMbOQ8y8hZn+IChZcZHLlSa6AsZnnNlPTkJ1gj5PdnhB7PYcvpucG/IMO8KCYJtnCEOXzzvUIrXAd/w1zClbk496u/FtG4Et+4W00bNr7QpHMNhHXvuuqYWoYK0aMpl9EQcUb/sABKr/typNsZxnSL7tbadXqMe68zr1OrBj3GGQ0fxvDtjscfJ6x7bqM3y9672RdRe49fEuoMPdHMdh1wYMts9mk5DpjmFwQuGGFPuLn7FsIOZIwNEKN9xyDjMuvK8ehRN29StpNdJ0ELE7qFAsEW4bB0xP/YstGFufbeq9+15KI70pWx+2MZQtyiO3wN+sigQnA+uoexxJhrxMuYg3QSzq3bBbxqLCtI9nQEh1y3bwWFwb7U15f2Bq5wDrtG/fHqwrqhqesn8+2WxlteCDVurE3g5ry7rk9zttz0SfWeLaWki1Tnfgf9MVFf+2t2NMg8h2F/VGPQ89TZYsf3uB0Pfs7dFUosGumn7ru3c1ygUZCKNkdYjoyGU9HTgX7sTjfk1rbcOecgTE0VV3HPcensmyomLd3ke8djhO39krS1D2Gcq4mMmwUkD1TeoaoT3yo2dFNpitIG1X9NnnVDkCr+qiWJP/qGnBZxxyco51z845GERlBdOMSXnDHyno/htMiVt/Yz/TYkybj95tdhMOr2qDKveBI0z33/X37RJ+yo53Rzuf/IR8WFdu6xvPgSWOO8Hxw1Mwy6I2k+2hbXFwjgj1tQ61re0jcwxXXatcbmPnPIuVVI23H0PM71+PHHmnV05kdmpoUaWdQ7SDFHblvZ77Bk0lZSJNZBspu449D1JRE3ZNMpFRHTPa3wGsfDl9ZMi1KiIecwdqxFNpjdGsVrG8IR2YGlRG5/Fsyg3o6M/TNuio6Y/boD3XJxAscGtAoGoV3zix8KNxc6voLRT0UmVia1RuiWPUEm7J3A+4LKpXL/x/n3kUXvj/8HlNIbc/LUCFs/P8dh4xeu420w2eo8e1M2ptsJ3cD0SzJhUXM1BqJO463PdR9tVV/PeSPuiePQKSTV/iWecYAlcKw9oy6ZUKLHE09rtwcXvLdh8wg1h1//QPGCZojQ/85NUC1HH8EVZn9xlPz85w9ONzcobrh1EDZY7ULGWEzmeg/PBP2MrC3NGcF5KGjjuE7By4XfRr3ekUvfOk+R+HeiXv3xolfNrkmv8R9tbwm0Qy5fIfF0TAXBruDrBaUD0yAUqzY7cV6hylW3x8uKA96mQToAYJLj0eaxqnN/U34YQUzefHqKjY7m/UTj38MDpo2UoTrnUdXelEyJgslc5b97AYCmIISiX1gQ4OpSs9L+zi5BqD07uk01EyJNrO4D6K/OwaUzt3P0Yd6XkYkveXnjtwHBehWhfZMuWL3g+pekd2EJk8s6xH6+htGnUqwPwGvEWdqLnBV5txJd0HCWXrj0RjvE4qcnl9+o83V+TKvlPknRiZvrLBNlEl9SHYfljJMLYohtgC2I0+yIl8NyGctgdZaOhc26+zbRGGaaB+BOFGCu7QckHxQVPIR1ByHR5tV5BRowFxNtTUR5vw2cVySQueO0YMINEXhEfrar1LECLFbmCt+2I7Euc3CaSRYS+MqXTGcQZtEtB4lCkIwugTuE18LprKF6m4We+5UUyWZdI+cXfE2+HhHULhEvwVV1D0Lc3YLpZVQUWm9WMNvLUrOxn+m99tU6MVxNaVGmeV5MdIqw4h7DAgiAEiFbYGkKxsQYUYNM5I3W7Kr4qIjMRsj9S2uX1Y/MzD316fvvXv3ove8u2DYqTq+/6j92zj+iZbyqJORYDTZo6z8HNu2snYzTjfWnCjyTOHhH6O3TqwsLeZqNsDTxDp4G6KOpE0e+1x/Si48ekCk+2igyUozBSY1QVhUjCojDWUr90ZjrRXWK1SSl9HeGuwNyO0LaKVVIZIS99f//00lIIbJHtsvpNqfvwEy36BwZaLdUpds5Ngo5i/X7y7urwib+htyUXejvUOH6vd29HTMLeGKI5sy29jsLtd22rVp3DJYvT0bFflmM2OV7D52EX4zZaTqx1bzjIvlS/PfZdej8VODIvjHcoj9wpodlz+l68bbgtzRD7UJGPfbvSXWBP6kbIb/bhqtOLboG7pintPiK4DKepUk79po6SY/9u0oOym4NpA/rcX/m8n7adczICFP5pxBStaBBUZOi06vyFU5ERLMsKWCuZcG7W2lv0xhUVFzcI3629xIH0cBkiiU+pYaLpCaFevxaTqdCFv9ckWcxBGrf/yfwMAAP//iL61wg==" + return "eJzsvW1zIzeSIPx9fgUeRzznbofMttsve+Ob3QutpB7rpl+0re723sVEVICoJAmrCqgGUKToX3+BBKpYrEKREgVQ6j3Phwm3SCYSiUQi3/NbcgPrXwjjmsm/EGK4KeAXcub/mYNmileGS/EL+be/EELIG5nXBZCZVGRBRV5wMXdfJwLMSqobksOSMyCFnOvJXwiZcShy/ctf8Nf2f98SQUvwa06opu0nhJh1Bb+QuZJ11flrAI3mf68QOqLjsDi9PiWvuIIVLYpJ56sNGpu/NHiUoDWdQ8bzLcgOlRtYr6Ta/mQHOoR8WEAHEw+b8ByE4TMOaoNTABVdz2b89o5owC0tK3taGrTmUtwdx3f4d1r49QidGVDk/7cI3xVRWSsGGRcG1IwyiEG5a4RJWph4qGYBZFbIFZGKwBKE2YlWDtpwQS38uLidbwA/CEFVF5DZ/4yB1FtaApEzROGUMdCanElhlCzIa64NLkbMghpSUsMWkBOz4PoOWPrTrTWoFLhauA4vrvEPbj1Pzjth2D3oo6HZWfQ+uJa0qiDPmitTBfDs/XGvgDGKCl1QA3lDu8srQvNcgdb3wGUhtbkz1Wa0LkyGYvQXMqOFhofibJe/B7aVVCFsCynmD8XEgr4LJlvyJfJBdrnrfqfZxeqxjrSL/V3PtYt3isPt4rT3hM1CATVZAUso4ugBFh5BeCgtSlqsqALygkylEWAsprMZZxPyTqDMWYJaf1vI1Qmx/9cDV8ocFDVwQhZ8vrCPDX7d/uMu22LUwFyqdYydnXlY7fM3vrNX9lFs1JQlV7U+8d/p788o+TsVJwQM27kfJoUA5i5gFH3to+Cf666Chtui+KbvxISzssrsogEs9KLPzjtxuDx7c4W/3L8gk3msBS2ou9J6ZJ9pxMqnq7edtcnW2iFdgFaZAiZVru+HyAM0fKo1nwvIyfnpFekvvm3gzEwe1cCxxk0lV6AaEXMOMxAanojV8+rD+Zdl9ViE/7R6/rR6/rR6vmirh3zUQC7Orv1HE0HNhFd/GkMHGkMhcj5hK6lFt/P5PVjgTwtqP07bbNGn85/21Z/21Z/21daCe+0rDaxW3ISYRk5/Bza+YG+593TlNX0k7rWHSy7sK73bhfSF23gpUbyHjceljmrjXb67buNnzf/GTTmKWnBW8Hs8XHfUBu0T63RsC30nJ80o40WYm3facdcXZ/c7l2YhYiRZLThbOCHpbU4FM1CaPJttROMJuX775uqEXP/v6xNChVV0emBnUpnF8wk53QBnVJApEEoWVOUofl1c84RQUilpJJPFCUFRVrqQqJz1Za5V8tfaQEm0nBkLZEIuDclBSANbRoCX9IzWuqW9+2n/nXLbnAwY0UdfJ62dNulZB3IJaqW4sY+WqmHAr8ND2nOFdhxUl4WasPDGgFwtQAF+5h8ysqCaTAEEkVMNagn5cH9qK068bzPDy7dzK+N3C7EWdFtlGV99bP3QEh1tTs97x7xrhV23qncqH6ytdgNra8vV2prCkjBamdrTX9FVe3HQ5mOyBG03Le3nPdCEvJZzcg72YVPhjThYvI/Uodtp4KK5abVdFhmwRzgx9T3J3Y1nUhj7LNv7wYU2VJgGDR3E0fDyEARzavofDLHzNr5dglDjxSltfGtkwY0mlLwF8xs3wj4D/vQnA9ZoN6sXsi5yImAJykrQhu8qqjSQN2CoRY2SmZJlZ6lnr+Vcv7ii7AaMfj4Af84VMFOsT5z/gVu03oMTFo7DRQfNSZCQQ9vjbpQcmFA9Sp5DpYChwWQxyWHGrdogRYFoGTotrBJfhbEq9byvasflQH/Gb/w9vzz/nixpUfsb3yrm7ltwS5mxuoc7LzU4CNwdR6XNcQt+zx5HRZXhrC6owt/7g52McsYA9EGcEuKMAeRxThk9kuVxz+Tln2ey+0zsqmkO5GHXV05/z3Aj/WN5Mtgt6SFCLzlqCpzu+xRxs2RLdf8fhpk21EAJwjxF5Gidc5Oxgvbu8BNBD4TpeeieCGKLgdfpiSDGxWGIpdWYGsnxdDktB3qI9EhLthm4iEEsG2pErwnZmZ0vNm4Bi81ADxkoCQ+zInp6yAD6HitinIqDwOtRqCg6XpUg+Ry5BtuMRD4SoOC9yceOoVbXg5hDs3//p/W2UXsmBbOPAzXyqVu2I+JmydOKwy51z+wyfMYZ7d7n13Lu4g1NRkstclDoLAUvqAZbn/FbyIkGY4Fs/Xh7DT1usDSHMID9YIOlPYQB6HsdytATGN+/dBhjDvZ1D5rcjwaDkHoSvvxVatMVkUWfIzWInIt586EOsU3Hh/Tl0JcfwmCDH40S9vJq+WOTaTF63fvEHezeyC+VuMufU5P35/93yTuIOieRDX254BxpXW9ZTiiZ8yWI1kn25SoClkSH+S/SWiD5U1T+voyIxqhDQ1brTMHnBGfdDR7iAeO+p2uk8oVbmlzhRTrx3mxDyYd1BYTRoQSZAgFuFqDIx0thvv+ZSEVeFZKaH16SKdXIRU2AbMbntULVb8++D1F3v+B9Yxg0nfEZwb8QTIQ7inXcrPzFOxikWlGVJ1PqOhKts+0uJS+vPm3pe5QoKGj/SEmT2+IeUY82ptuD41TtiGf/LRWfc6y9cL/Z1lb20CGV/rUjMeLy6tPPARKEc3JIBBK0GA2pHOP12TDqUHE89PVZAM1BHSV2/SsuRS7PHxIldfh2g6UI5rBY6ZN2shUsS+5no42idblRtPCiWNPlTBYFMCPVlyiALfUeIefG8hzXhDnSQW4x3VJUX8u+2kJ2EPoJWnwlmz4VVbWUGpPdSinIdD04NEIUfK5BYxGU5mVVrP052S9joi5QtiCa50CefUfMQtXk5U8/PScrqokGEO0qOyjxJJTXO1BCV1JoSEcK9sVwBZO1aAvjRF1OndCzV1kHIZBndCqX0CEGF8HMyka8aaOAlqP3h30xbPPIpIKc1309LQahvgppjq1jgc8IN/+sX373/V+1E+kvKhSgDdL/HOzmn9YefE3XoMhLciEYrXRduMiKNSnvJddD0B8Y/AjkVoZW+eEl+Ve73RPyww/kXwmTyurLuAu/6An5b4X5H/aLXJNtonwVPEIh80DR8BOxdcUKMkaLYkrZTVoN2CHXFAxQ4+wKS0QQeSW5MGiaGAgnOCNzZKCUTJSfttEHdQWM0wIxRky1kcpq1mLttA77wZIWPHeMEUKKkJmsRW5fmAIQeS7mXjnam7y4fSMGkGPEAv112BE2GjmFdSFp/lTeOY8O0fwPICUYxVnA6vCmcPfLaAu7574RwvbZp2aj0cpZc2wT8qtc2aMZ2pxcEKmsMWYkuQGo9hDtSbx4XwjRlMRisCXPszxV1PWikTxzEFg1q7GsqnZ2tLcLl1yZmhbWaN/yvYuAi4OX3JrdGCtHYrhd+Kt+eU6UldYaHSpINKrmYNqv7aWEVomSnh6dEk3N/i5KqCShoKHgvzxvfK/voZQGyLXnd6YAH9rpekxQEuw24gIxX0Dgxa+U6argKTMbnrQ5r/lA7X8SupmVuQn5HW+dfQOaMk3PdY3V4p+Q/xoRRideZrx4hBi9XdUaR1dnp1de9/VFubyspOprvASfyC8uDaJ+Gu4P36YBDXE03UOu1G1Tvt78ZGOwOz0HLfMJefnTz2SFdC+BCkKLIuwrQKc+qkkb/xFZgQIHFtt8UG2IFL1ykW0iPrqa+GUTMXBXU4RtPe1+kypHwmFWE7CFkIWcr/uBuBlXAy2WkJ8IW1BFmXFEtJd6jfij01yQWvicnmLLZz5aURu7oNsF6lMGEXbELtGiKK2SKUUTRlB0NSrTULL21ErKUGN1MQrhfQ6SsVo1ELWhIqcqJ0Kqkhb8j1B+r1RlkD65z3I4mESyng6epHsRaYN1i8yLgs8Adxww8DUwKfIRBXtz3Jk2Kf0sOzbEBZNlVYAJMsCoE5WiAm8U74nBTr2ZMo/EyNd27SA7j7HyNmeOsl8phVlEOqZNfWqsnJdNllP+SIS/EHkKsluQf0iRutvCDrFoV29UTJde+6FP4YGISnajT4mBW+MvH1mC0p1yinxXHljgfB/KbGugsba5KdNjUuWQp3sHfZKNf6Z0u2KjYzSZNu0Xu/H14WulZDlBqDUW5WsGgiounVpf1oXh3xoOitCqKprql00vm5IKOg+V5hJSYHhnq61P01CKcPO1JnIlXGTM0LLqewY9xth/U8lh8hE3mrAFt9aNzEFPyJtaGzSTukDtraRmJC+XGjjwkHYKsNnM4r2EY2hCeMjNgo522AoKBHMMQa1qnfMlz61mg/wQFmTXjSD70CNeeJO3FVdH2+HmPF0s6NZyIjfFuul7ZSTqaxYp15xxp2804qGPunBOrDRu5dlksGSbTibr2BKoHChyD4XY0j/2VUEN8nMN9dFYyXK346KNfFxRTRCJfIRvELnvYxM1olKwRdAEMm1emgSv77xMgWuVJUC1ylJoz1VMUbQN9GV0qAl0pc4r8jgmZM98DL4xg+fyXm/OoWJzn1w7JFiweSB63RBiO4IoGyjxMRRrXRepw04jVpSsDZMlvHA4tMYLZmUPGmASyxeOBFsG5AiDwBIG7XCPtrFmdV8E2Ins7HL5pC1eHPQOdK90W+lioWHcqQLGZ3xj+IS1W9/KfYSnvK6cPpspcACti5Hnm4KJxkWV+yBLEG9vNh/rED5tW+ldS1Aq8u7ap8Zy3SQE9P1qxPeF7Q1QIFtVkrqSmkcUHHfiLTSnRe46TGEqf3N3R7vw1IUZNsx+LFEk6hIUZ/eVRcG9HaGKbcfGupVs7c1wYsnd78HWliByqXzC7M6dyenvj9C9pgntBtqadxFLXws+ILeVoLsRc5I+Za+6r4YX0lf9ezHjvVwL2uYWC2kIxTERFslwAm0h51mTqPIoQr1hxHsL9WP0TNmSfX/HdCvsWo3iI6z4y4Kzderbs0MuXCECvrm2KNYjcjk4bCkxAd/XBSBiYXEqhYHb1Bpri9ClcP66TT9Umufa/h8+qrRoEAo1gNnzOLMFFXPIBKxSy4KxwCWsOqF+VEKMUXxaG+hIiGGOvnaoW229+/yFRYeu+hPEHm61sIIna1u5i2hoCPbzixwyXf0tYNxiBZglWNNwUG9yvtQS1IRcgzuUWoOa0DlgK2+f6T6TqsFhALsB4/R25oZuud93+lZIRaZKruxnzV+9runMrtF+0pf5FVUmtpuuBRzbo+LvlBxUhx7rTskib9XGVFdKVuADiqne4lNBaAHKtNlFarOo/5sLb3nx0WkCgElIAYU5J0KKbxVUgJbMruwHNBuO+eSwWil7YVp7BU8S9bgX3EXYmvDPYGcrbhZeWXaynpzjglOsNhFEim/n0v73jpcAlZQsoDgm3DftBANfIAIWSTkjVjoYDnpCrjcypT/YoFtZlQbjM1fOV2trxLiSUZdsk3vx6wlPCStqbRqG9P8YHBP+hGt7kr4m2vs3rOKLn46rQEfXftwNC1v0ri1TOqXs632Gl8XyHLEgVGvJOPpL7WkE7Uk8sNf8Bn4hlFSLteaMFiTn+uaEVApnouAosa/DijJV9JDay3s+9K7ORtESDChNKqqxi5fGRg6uFwGTZWmlmNwK2g9La7amopHh0+Teg8fS+DpnmOBhcuKbybKqh3cwwbFRsuIilyufT8ukYFCZkzaTYpQYg23O6qJYk881LZzzM5cl5cJLDdFZqJAjT1fX6xlLXdqxdasSvubiBnJfC9QkolON3ilvoNhPvmpRm/B818EVg64QSUVdd7KTc0v0EWjQe3f9WHi9q7znlVwP2/W0QWdQJe8PdkrtYvVrIraO/3dr2j9E1rRnvEh/x9stv8LV2musIK8ZkCZyBGF3mwbFaZEFXtNkj8g1Ltmozf33sfMA2hdm1C8A7EYf1HIghsfYr24fugXVi/aGWrUwUGVYs4XL/G1qbNoyw7MGUq9FmN1Iu8xEK2Z/1f57WGlKrDwXhGPOXS1YAVTZP2EjvA1qvoBwMwTPFXbujz444VcP+zw96ReLyXLazNOVs60Hy5eNqnu8Xjjw9dievq42ggiMe/yOEyANXIkzt7rryTjuKXUWXHLXeEs+52W+PCdvnaR55hs3EDdtzxf9Wtyeh/Vq54B+DF9+x/18eY4k9SVvrZgYeg+2I3IuDdBtYeKYyMqCFddhI3Wp1yl72W9HdX2BtlMXdvqxR4YjJ750Z5tJuZfnezXZWP65PZqsReylyDca7YScufpM3++0cB/s1mYRQbX9je+/8u64aW3ayk1p2seoFgVoRxnpHpSVJEuqOJ0WgypA15SBC1IVdEQQaBA6aX+UrQPtqqpu5YmVVFbDaOoLuT3n6xeXV30dmviWsc6jMFaXfeBAwTvXQm4iLQ5JcikMueZzQVFYjLBoJVXK5rVfD+SXZdKrRneT2NUR/9Mi0h0+bbkslwHGefvuA+GCFXUOVpz5QbZuEP6zi2aA8ZVziDiwKL0nYb8IRuaOHttE59TmaQljxvWNVbkPwOsepXgdN+Zb/zS85/pmR8jVKD6fg0o3wi5Msk/dWIDHwY1oVqAXssgt9zhbfWTS6Fbo/QiehWHs3UvlZ++djvG8bcZxeR4uI7lzdJ7JssqOnHeFp+Jzr3CMq/Pv6Xr6rUVHCqxPnbnZ3HnNxqw0r5Y+UtZYF/NWWkqFnQesXG/wG5kS5weRP4oCOOyqP8PZ5+4hspsYaY38zApRSt5Q1vRTDiu3VgQd1Y6R4ttGQVW7pZCzNaMPtVZAdfTcYG2oqWMpzq0/ivLi0cwOu/hU3hKevxh/v+zLWh8DQ4vRx0HjY3cXLBbhq9u8Y4mn7w2Y/Hw4d++Q54wLWceKcXbqSPQ8+p2ykjSm02Hgkf0xMuDUnRm3WOK0KKzcI7pmDLSe1QW5sOsTJnPQliWaZr9hy4KLHG4jE6Dg2hymeT5QtuDCaIqpBokpKIxvllTxAjN4Ah48F38Xc0KRiN/a3wZ3JhLwoZy65kKPpBH71cmzNp+zAqUrX3TrJMyAZF5F2CTENx2eno8UGTo31/A9Tp1Q4pSvNsnL+6rct+2HlAtNcjCUFwEnw1TWpvO7ka3J4ui5mY3HlrZ5bIjH+ENqoKyKZNk8pySHGfUhIN/5sonh+2xNqxUvQRV0jYVcRvrHlTwL3Ej7AVrd/tcwa6rAna9eG25qbMxIghvb2AbDhk0Pva5Ro1gd/w6jsTFNIKuYLEt7n9Kw0ZmDTngn2bdScslz5z9rusiVoEcToXLJDg803t9b9ooXG62RdfPywqrBbYVJT48j65vV08r63+X0QL/Twdv7X3LqAzDh21XxdI1zzzGh2J389dUluRwoVF00knWt9dUluzGIWNjVVsPOoxrS9/GH+dzqsHLvREQ2lXnqiq9BxV1f6fC4EIvLiHq0iN8twYUMjlB53nEB+9Jhl0DbxkP4nOdtKGfEiVfGthoHZeARXv54Sl6776pO+Uw1072vPrruOU0gCpM1boHVXS+CS/2aQqi8tenCtCtx4wiOkKBXPN92iLTVlXRJeUGHgQzSusIJ1lfOQKmRSQvuDh3i648Xd/PGSukbQLkA7GBLPt1A8/lkRCLyMpvWeb6O7p/hZRa1DqgDt9ZwWKPznV6q+BAVlxG7HPRK7DJdH6Mggetu9qrruUrrnJu2sm7TF81jFBpst6nYcKJkE17YvUmXJRabgsujWeVnny7IM18r8akurK485QUWcGAe2MVtJbX95nPy7dDRIPpRmBshV2LLENLAamxmsdyGPjJpk9EjuOD6aaFnTZX7W1+a9BrmlK3Jx1FzreBTRR+jKN8vvEViLkhJuZgpWsLOdIyKKpzam75PwpZyeYXLkrcyd8nRm7aAnayzAFJkj/aFqQKWEKkspO2+cW9hRX6tBZqSb2QOBXnGxXLyzQnhkp2Qqf0/sP9HBS3WmuvJN+H4omFVNivoYHJ+bB1qW8M/uyK4KPq6UE6um+FXcrazUYORSTF1f516PJs2CBqUZeQgQssyrtztYfbpzW9UAfngEoC/+ebTm99O3198843LuV1SRfkoT66kuolZsrz3gv3WLNiNsI06waiIrUT4mp24XUra54Ay+1ysE5gwM6lAaM5iCpCOKykBxmV8L0ggPhALaLaifDic+MHeAex9HhuovT6xS9R1PU10Kcw010bFrnzHeu1kDrHuWxrtHW1qPtI5SQ8tdtkMBhuoNL7YZFP34utdLIgZH3U0NVtN5og9dKvBbkSBbfbLe8JC+eB+gvd3XFjkvf7/frjqRmV2k/8ehcXyjo/eI7ITyUdhjiaOuws/KY+QtLV1sh279JlpM9qbLDvsk/kc3W4Dzt0fmW5aVvNjxMOw6GtGeWFp3TRzufIy4/K8W9uGnbisOWhgHmhhMJ5V2ORcZ1ZFPGA/hyReY7q1rz46k2VZi74naoCdOKxx00Oxewu35u8Q1qlb3PRhmvVDcbumIv93GY6abXAz1PBDJMODsRsuvIWcrnXFGZfRskSPZcEj9iuqxDDo8NRR16KsMplKGF+/fXNF3jk/6iYpNYzI56OmElz/x2vyuQY10ru1LkSmoN+pM21yQ8chuibvm6KzYFpXq6WziA9pF6iMPUbAAq0Ochztg2oCwbEHw83jD2igBVVlgtOyYBO4F2gVsQC5BVrn0abSbsGM2+1qC3ROTV8rfCjcKQi2KKmKVVbSwl1XdDC++MHRJ8oG6VRRYGaL6LzAYBa3gKoFPJtjq6UEYOX09wRQKxp9EobrOBWdvTDonvHYD47v3FaCVT2jIy0yynAwSvzyEwtbi4jGewfwdF4tfxS3ZhH9fWciY0ZluY7ad70D3UI+LPJ0B8DLgkaXGCIDMeciYlHkEHSK3GiRzTK94oZFlx8imxVypWkZP3elC1uYZTroCaIuTGRcpBQnXFSgyuk6WsL7AHbFbtIAX9IiBa/wKquUNDKLH5JC6MsfM/Q4xoddJLubhZxneQpiW8Dx89+YyEp6mxkTy22wDdhydAEJHoWSi0RIc5EO6arQWTEtsthh0S3Y3yUEHr0zeAd27F6IXdixq3q7sH9KCPvnhLD/JSHs/54Q9l/TwDayKugUUoiUFnp880xkZV2g8j1dJ3gnG+DVTQK9pKwLPi+rNNq31TJpMY+dhOQh8xRKiYbPLL5vRGTaJSQmOEGtWBpr0gJOY03qta6rBLNImWjLqpOYqkYaa3rAbQIRYqSxhlkq2GjWJAFeC34rqJAaWAImXP5sqZLoUVj+LCuzAJoncKvJsspYkcCHbQEnCJIgXDVdm/huUQtZJ4Fc1VmCmAZT3HBGiwQFRDqjcxBsHTHrqgtb0GL9B+TTFHgvM2wDmgSyaweTBmuXWJsE+nReLX9O44PW2ZSbvyZpNMZ0FndWXA+wktFFtU5yzREqMBW/yk07H3+0WVsdwGAWzs8f3znigKPalwS46yYfr4NcB/aMF5DChtHZLMUh8lnM4uxtwCl0A53xCpMUsySijlfLH3NtqkEz/0iwtWJJYBd8BinMGI2O5hJyHq1gdBs2F2m4pJR5XYBmMgW1PXA+TyCbZKVX1ESd+d+BHsogjwJYwZxro2h8T8gGdgKNT0GVitQqGa01diJXieSry8x3LJ4AulFAywSKpCsFSoV2OuV6tZBcZ27CbHzoa6poEgbPRwphY0Beuvn2seFybaiIPuc412Zaq1jDAhuo4GYFpYBaR8c1vh7d1CTHBouTG2bxh10f2mlgF8w5zfPYd4DnscOqTeugBG8RLzOmpCyTdCWygBOYabzM0iRH+o5HKchc3URvz1Tp+C1LeaUrxSMDLajhpo6efVZwAfFa7Gyg6qgTdVq4WHwb361VSNf1NJsVMvpz3gJPkPJvbd7oUscCTSBxrA2dANXouQmFnCdhXTFPcoErqWILsHJaz1Ncs5JrlkIslDoJw6aYAyHAYHOl6HCjy3DXADp2xp+DGjsdT6xWsS2QJBVl0g2Ajm6JyviakVR8ngXmcT0Y7kqAiv9mVZkbyhsdbNTJ1BuwbsRrEiZLULjpZ+LEFgYebGxpUGXOkRQdXaq1/TBji1h1/gPQcFvx6IGAClQ5V1SYQc/dGJBXSQDHf3pdJ7KPH3tTQCMAVnKeUV1FHBjQBa1obKgKaJFCv1PAkA6u62gi4PGJbCHHbeHagSxVngDj+I5MncA3rJ1vOEE+gIbYiQBu4HEC40TD5/gMEGrQGg1qAlNK83kCwaur2F42rViKe6BYHl2R1oqFuuJGAGzijdjqwqx19K6aSyZiF0oEp8U+FKhr0hl7+2Zu4rOVAxo/otfO9IwNd11F79Za59Mkeei1KhK8hbUGleU8dtV7krEVTWQoBRkM04aWsb3By4wLbegsgWaw5MqkUMOXlUjQuslIVYuYbtZQW7RAR9HT2kjyvhZksHSbPZJwWN4nWvCcnCnIuSFnVOW+m6HG9u9hdNzkrIRUGpsQimBwiD7B/gZMFiRUqtPmQ3CRjnIXZVXINQwGC+6l30zW0Zp635HHLA2dzwjnnSmYwy0pab/RwiYWK+Z1fxhIciQLrnE4Q7O6P3psoER0XVVSGTJsPErIakEN4YZUCmZjrPCAtNz7DKEIEd5bHS0KhAvf2X2kL3TBReqJ/B1U7WpdPDUxcg5mAWqy+b5eyHrwohEiYAmqHUdkJKmo0kDegKE4EdzdVdqS4NlrOdcvrlzZ63Ny7kd8nRCzCEwpwmbA78GPPka0BXkL5jduBOjwOQ+ZOgnxZjiyu71FuLjbrAaq2GLCBQ/ihzN3j9Bfuyc+cRYGJkO8KGgtcNbvvMY5rk0T93AD916/9h17St+Ou91T24Tbzy8eMfbtQWQRa5ru1nkVlyUf4NbgrRhzFxxjGvWIQNoMrnuLE6pFMTLxErvnJhwHjv1zNRii4HMN2uxo2n14tvL9e+U7lQHH8rhVncTue6TavNNtd8ounBxGGBvb+jt2aNe/BHcec/b//vmGdrHL80Yo4Nph3kCrIV4S7z1Z2D4uU6qBuHTtFhsyuFXtKflfPA6+oh0F32IulWtfHyQjIVQTDYDjzujueVWKCk3ZEcb7DjpMu6UFqr0bpmG1wglou5CuQJXcqRvHQnqzpBvMwZe8gDmQApZQEKo1nwt3cJt5/WHWx5bMjyi/cf0dnD59lEnPFrNa8M819Mck0vDl6+B7WMfEw6agNBoNz92FZFIIwNwKsuJmMSYoCAlUhrQau4KDyovubVpYcqI8aZ+oQs45owWxGIyYPojF42KHS42MaXw82lWLtQ6j10lnW8leVmvsB54WnOpsIZPbBM6Ia801nKWyGWpkpWJ3BE+4HwBxl8Zii2+aH8TCCqBqclpoaQ3xrft2jsFy8qv/xYScinX7rwF0g7a8FobQfMJkWdUGVFgMJ3Hj242lM8++6p8FzljcOhBu/lm//O77v1rb97xzHA3Fvgqi7fk0ixsxu6vjhq5BkX9pfXL6hUcDkQvf+tj1P+l5Xmxw3uL6nedxYPLyPtn2dX9gil1nQt6++3Bh9w4KnPME/aU510xBRQVbW63Sq2dFPxeEIIVOyIc3v5BLYX54eUIu355f/Ocv5OOlMD//SJ6tFmsigJsFKMIWUvtRaVIpYAa/9f3P//P/e/51kCJgFgllXJ8eKFMnJQ2P49GJue+e1/za8eJlg1T4iudPC+mubNqD+YEN4+78wIfw7SmmG+vkE1empgV5ffo2iOwfUkA6X9ZhnPF/pIBJmLYW3S9GhOJG9gtPPIKn+AbvOIc5NbCijzAiHbn7ipzmuUI/rePyEDrt08vK6tA450NjIZdnb67cqzQaHiupPmL0Y8up5DRV/3aTyyuLyoj3y9LwwEkQUWho1x6nYaOJZW661nEFRAddmufcfpkWm4BtZ5Z/+J07IgNYkxAvuPQ3/HybBQaobHKtk+h1d33SKHnrMbySyrQieSB0cwyw4QFws94vefWRae/2w8W8eUyabb0ZI7yAkN14LC+uxw4tX6q1ZNyqnM5vNNBxiJXLioo5TFrTiUkx4/NaQU6ma4QJIsesobCcqQ5sPTAoGh3RloOLzhL0Oygi6v7dEq7oDgAFpTSQ+czu+HlG8UmbC53RzKXiJwBdGZUG+CwBS8wSVAsXKa5Dqv4nVQKi0jxrPHHp1PK+BW/3Memv1nUmPIIGe2EWoAQY8mFdwQn52Dxjr9EB9gO5ahxgg5fg3Zim1ozqOYIyMWIaN0h7v/gJoUURVCaqzRcxwY0qTMxbgrJvIBdGEm3wMeeCfLwcFSgME2STyavoItsClVWCsW8WsAIdO6PXgk1Q4uJexNip6OhvT4CtG62QFSDm0SdFIs5W+UiohY5ooE7loUUnACMIw3SCGaHklVQrqvLhnG5CTueY7KUItTf+FnPppmBWACKsekbumnjfGLc0tOiG6hwyBFvGY2bEYIdc+DxXTEsoubFiyY/YCG9xWVBxjDj+HRyUTYJIx0U52OC2y3ITSVlaC3aOBuz2yxM7UgkMuxAs4/WDu1vEnirDWV1QRbBfNGmQeHZx+8trOZezWXj6O7DMLCD58W4h+8Eu6G5jB+8Li7dF97Q2CxDGJ4uPoq3rmJ0T7pbQ45YcR/2jBjWKsKwNk8eltF9yHOHrmjHQegRn7Dx+WHO0wxJPEC9iVdy5VGsSKEwY4HYM4bSFI/RwtFIJA3y6ksK+K1ZuhZTD9odkoCht72oZrx/dyLtJietaijUDBYe83Y/3w/T0YS6I5qYOyE+CxQXgRbSHuqCa0FxW9nUxC+CKyJXYHJkjnKG3UshyJK8WZ3Jo7lrUH1eJsMo9F7mVP1LplgCUvOIFkFOP2GRAhrs4e0W7MXcnRxPG2/0/SrrCKAmufdZCXCqE9hggRMx69wcQwuXrXft6jdiUGE8IncqU1QOBzU9hQZdc1qhdMllWSpZ8JEMRjo3chaDTAovIZuRsN25cLFuxkxDJPoZbWicJIrCFYdThMgcgGFi/xS/16XZe2c19G2W7TZllLUy/nC22Rp9jGXjGDjHr76QF4Xs8BwGKs2ZLSBBM9OunFnCzwKc2NNuNeGQn7PuJNmo8+Nns6ZC2W4+2p5e79+TVC7dWwn0FTdPWCDe8BG3lutP2FFQwGkTypxCtKcTeg8DGgw88BnVH1jqkd/ejsdYPd9vT95mONuT0zlvzDuN9OxzsDXe8EQh3EAZf7u5e7t2dOurZuYsWZW9q/8lF66V6HAGyR463AuTLZccf9h9ZrNEGxzmyu8lHdVQJEvOO3UF+HJUdY+5twIytUo8laD0/dfTKndosshLMQj5ClIRueZKJQ8N/bfTAsZeSkkm9TjuiOu9l4f21FpEdfJnIE/Kfk5+++448e31+evWcnHNtuJjXXC8gx1L4IC6FnMvkfYF2RcIwW3bm8PDHjF8cyRhTMrFXcVf9pz3VEAbtjUGPfLShz/e5LgzT/tu6347jD3EKxUypCLVJ32SK0SJWd7reRt7TnNfarUCkIpqXvKDKiScrNu0dYviuh8ur8J5rnh+z00g3U/6jZYTGi9jri7m55OnqLE7FrruOYQ1fadjx/3onEX4y4AXvuIFOWUYedmVKlTIxYBCyQVJLNaeC/7Ejq1qkY4W7EvsASnd5aoTcM66CtaSJuv68ssvha+FafLneRVtZzb8CLcyCUQWkUpDLkgsaLLjriKcrajgIo/emxxf0mLt9TR91s671I1SJGNdena+t4KqoMtgMabPV3WL1iM2OvLC5i0SdQQ6KGsizaEllO/jDCp9XzYpt8OxKySXP2+Zh/nu0qgqvqQ4Ywzf/sc/atk4bVnA2m+T5kXbZLul7/Zn1yDaDw0Mxc3LJXfR80VfcR1rAtUpnzKHg99U84RZ1ps6POpXQ88BGnY6KGivVRBupnMS30EowFFf7Gr81sd/6Orz7kud5AceTcm9wvbvKucDxduTeQXKuGY9xnO1e+dU6HYbEuonOnpCqoPbI7PssFQHB1Loa8/JjKuQR7Mk7ZNCp1rb8VWpD3lC24GLEpMtpIsnxVZ/WHwVm+lcKrPiw+pFrcqYn5HVOK/IJ/+H0o1wKV3f6z+HjSRZ0CVZzKoAq8rkGtSbYg1BXUmhoNKpwcardb4a/OY689D3wmIWseNMFUrjtu75843g2WzoCqhsGeu+bo94VU5zylNZh1ufxprX0VhMjaxv6h5dromohgnasPmlfHhd5dm2kRmrsPMTMW5jpD4KSFRe5XGmiK2B8xpn95CRUJ+jzZIcXxG7P4bvJuSHPsCMsCLZ5hjB0+bxDLVILfMdfw5yyNfmotxvfthHYsl9IGz271q5wBIN95LXvmlqICtaqIZPZF3FA8bYPQKD6f6vSFMt5huTb3nZ6hXqsO69TrwM7xh0GGc3/5oDNHievd2yrPsPXu94bWXeBWx/vAjrczXEcdm3AYPtsNgmZ7hgGJxRuSLG/+BnLBmKOBBytcMMt5zDjwvvqUThhV7+SViNNBxG7gwrFEuG2ccD01L/YgrH12abeu++lNNKbsvVhG0PZojxyC/zNqkhwMrCOuseRZMjLlIt4E8Si3g27ZSwqTPt4BoRUt2wHj8W10d6U9wemdg6wTvv27cG6oqrhKfvnk81WVgs+aKVO7O2wtqxLfr/T9kz0mSWurYVU63QH/jddUfFvezvGNIhsd1Fv1PPQ02TJ8rcXCH3P3h5NJRrsqum3vntXo1yQgTBKVoeIjlzW04Fz4U487te01jbsKUdAHF11x3Hv4ZksKyrW7X3Ea4fj9J29sgRln6GMi5kMKwVU36SuEdojP3pWZIPZCtJ2RZ99TpUj8KouijX5j5oWfMYhJ+dY9+ycg0FUVjDNmJQ3/JGC7r/BlLj1N/YzLca0+ejdZjfh8Ko2qHIfOMJ0/11/3y7hp+x4d7TzyU/Ih3Xltr7xHFjiuBMcPzwFsyxqM9ke2hYH54hQX+tQ29o+Msdw1bXK5TZ2zrNYSdV4+zHE/P71yJF3euVEZqeGFlXaOUQ7SGFX3uu5b9BUUibSRLaRsuvY8yAVNWHXJBMZ1TGj/R3AypfTR4ZcqyLiMXegRjyV1hjNahXLG9KBqUFldB7PptyAjv48bYOOmv64DdpzfQLBArcGBKpW8Y0TCz8aN7eK3kJBL1UmtkblljhGLeGWzP2Ay6J69cL/95lH4YX/D5/XFHL70wJUODvPb+cRo+duM93gOXpcO6PWBtvJ/UA0a1JxMQOlRuKuw30fZV9dxX8v6YPu2SMg2fQlnnWOIXClMKwtk16pwBJHY78LF7e3bPcBM4hV90//gGGC1vjAT14tQB3HH2F1dp/x9OwMRz8+J2e4fhg1UOZIzVJG6HwGyg//hK0szB3NeSFp6LhDyM6B20W/1p1O0TtPmv9xqFfy/q1RwqdNrvkfYW8Nv0kkUy7/cUEEzKXh7gCrBdUjE6A0O3Zboc5RusXHhwvao042AWqQ4NLjsaZxelN/E05I0Xx+jIqK7f5G7dTDD6ODlq004VrX0ZVOhIzJUum8dQ+LoSCGoFRSH+jgULrS88IuTq4xOL1LOh0lQ6LtDO6jyM+uMbVz92PUkZ6HIXl/6bkDx3ERqnWRLVO+6P2QqndkB5HJM8t6tI7eplGnAsxvwFvUiZobfLUZV9J9kFC2/kg0xuukIpfXp/94c0Wu7DtF3omR6SsbbBNVUh+C7YeVDGOLYogtgN3og5zIdxPCaXuQhYbOtf062xZhmAbqRxBupOAOLRcUHzSFfAQl1+HRdgUZNRoQZ0NNfbQJn10sl7TguWPEABJ9QXi0rta7BCFS7AbWui+2I3F+k0AaGfbCmEpnHGfQJgGNR5mCIIw+gdvE56KpfJGKm/WeG8VkWSbtE3dHvB0e3iEULsFfcQVF39KM7WJZFVRkWj/WwFu7spPhv/ndNjVaQWxdqXFWSX6MtOoQwg4DghggUmFrAMnKFlSIQeOM1O2m/KqIyEjM9khtm9uHxc88/O316Vv/7r3oLd8+KEaqvu8/es82rm+ypSzqVAQ4beY4Cz/npp2M3YzzrQU3mjxzSOjn2K0DC3ubibo98ASRDu6mqBNJs9ce14+CG58uMNkuOliCwkyBWV0QJgWDylhD+dqd4Uh7hdUqpfR1hLcGezNC2yJaSWWItPT99d9PQym4QbLH5jup5sdPsOwXGGy5WKfUNTsJNor5+8W7q8sr8obellzk7Vjv8LHavR09DXNriOLItvw2Brvbta1WfQqXLEZPz3ZVjtnseAWbj12E32w5udqx5SzzUvny3Hfp9VjsxLA43qE8cq+AZsflf/m64bYwR+RDTTL27UZ/iTWhHym70Y+rRiu+DeqWrrj3hOg6kKJONfmbNkqK+b9NC8puCq4N5H974f920n7KxQxY+KMZV7CiRVCRodOi8xtCRU60JCNsqWDOtVFra9kfU1hU1Cx8s/4WB9LHYYAkOqWOhaYrhHb1WkyqThfyVp9sMQdh1Pov/zcAAP//rhmfyQ==" } diff --git a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml index e6db84b9385..7c31ecd11ff 100644 --- a/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/ftd/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: ftd +- name: cisco.ftd type: group description: > Fields for Cisco Firepower Threat Defense Firewall. diff --git a/x-pack/filebeat/module/cisco/ios/_meta/fields.yml b/x-pack/filebeat/module/cisco/ios/_meta/fields.yml index 8acb2c9cf4e..2f394f7ac87 100644 --- a/x-pack/filebeat/module/cisco/ios/_meta/fields.yml +++ b/x-pack/filebeat/module/cisco/ios/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: ios +- name: cisco.ios type: group description: > Fields for Cisco IOS logs. diff --git a/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml b/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml index 2b32b5d270d..6d7daaf1469 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/_meta/fields.yml @@ -8,7 +8,7 @@ - name: eventType type: keyword description: > - DetectionSummaryEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent + DetectionSummaryEvent, FirewallMatchEvent, IncidentSummaryEvent, RemoteResponseSessionStartEvent, RemoteResponseSessionEndEvent, AuthActivityAuditEvent, or UserActivityAuditEvent - name: eventCreationTime type: date @@ -36,7 +36,7 @@ Event data fields for each event and alert. type: group default_field: false - fields: + fields: - name: ProcessStartTime type: date description: > @@ -102,11 +102,16 @@ description: > Executable path with command line arguments. + - name: SHA1String + type: keyword + description: > + SHA1 sum of the executable associated with the detection. + - name: SHA256String type: keyword description: > SHA256 sum of the executable associated with the detection. - + - name: MD5String type: keyword description: > @@ -227,6 +232,11 @@ description: > Fields that were changed in this event. + - name: ExecutablesWritten + type: nested + description: > + Detected executables written to disk by a process. + - name: SessionId type: keyword description: > @@ -246,3 +256,206 @@ type: date description: > End time for the remote session in UTC UNIX format. + + - name: LateralMovement + type: long + description: > + Lateral movement field for incident. + + - name: ParentImageFileName + type: keyword + description: > + Path to the parent process. + + - name: ParentCommandLine + type: keyword + description: > + Parent process command line arguments. + + - name: GrandparentImageFileName + type: keyword + description: > + Path to the grandparent process. + + - name: GrandparentCommandLine + type: keyword + description: > + Grandparent process command line arguments. + + - name: IOCType + type: keyword + description: > + CrowdStrike type for indicator of compromise. + + - name: IOCValue + type: keyword + description: > + CrowdStrike value for indicator of compromise. + + # FirewallMatchEvent + - name: CustomerId + type: keyword + description: > + Customer identifier. + + - name: DeviceId + type: keyword + description: > + Device on which the event occurred. + + - name: Ipv + type: keyword + description: > + Protocol for network request. + + - name: ConnectionDirection + type: keyword + description: > + Direction for network connection. + + - name: EventType + type: keyword + description: > + CrowdStrike provided event type. + + - name: HostName + type: keyword + description: > + Host name of the local machine. + + - name: ICMPCode + type: keyword + description: > + RFC2780 ICMP Code field. + + - name: ICMPType + type: keyword + description: > + RFC2780 ICMP Type field. + + - name: ImageFileName + type: keyword + description: > + File name of the associated process for the detection. + + - name: PID + type: long + description: > + Associated process id for the detection. + + - name: LocalAddress + type: ip + description: > + IP address of local machine. + + - name: LocalPort + type: long + description: > + Port of local machine. + + - name: RemoteAddress + type: ip + description: > + IP address of remote machine. + + - name: RemotePort + type: long + description: > + Port of remote machine. + + - name: RuleAction + type: keyword + description: > + Firewall rule action. + + - name: RuleDescription + type: keyword + description: > + Firewall rule description. + + - name: RuleFamilyID + type: keyword + description: > + Firewall rule family id. + + - name: RuleGroupName + type: keyword + description: > + Firewall rule group name. + + - name: RuleName + type: keyword + description: > + Firewall rule name. + + - name: RuleId + type: keyword + description: > + Firewall rule id. + + - name: MatchCount + type: long + description: > + Number of firewall rule matches. + + - name: MatchCountSinceLastReport + type: long + description: > + Number of firewall rule matches since the last report. + + - name: Timestamp + type: date + description: > + Firewall rule triggered timestamp. + + # Not entirely sure about the descriptions of the following fields + - name: Flags.Audit + type: boolean + description: > + CrowdStrike audit flag. + + - name: Flags.Log + type: boolean + description: > + CrowdStrike log flag. + + - name: Flags.Monitor + type: boolean + description: > + CrowdStrike monitor flag. + + - name: Protocol + type: keyword + description: > + CrowdStrike provided protocol. + + - name: NetworkProfile + type: keyword + description: > + CrowdStrike network profile. + + - name: PolicyName + type: keyword + description: > + CrowdStrike policy name. + + - name: PolicyID + type: keyword + description: > + CrowdStrike policy id. + + - name: Status + type: keyword + description: > + CrowdStrike status. + + - name: TreeID + type: keyword + description: > + CrowdStrike tree id. + + # RemoteResponseSessionEndEvent + - name: Commands + type: keyword + description: > + Commands run in a remote session. diff --git a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js index 6ef77376175..b12309caef5 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js +++ b/x-pack/filebeat/module/crowdstrike/falcon/config/pipeline.js @@ -2,186 +2,429 @@ // or more contributor license agreements. Licensed under the Elastic License; // you may not use this file except in compliance with the Elastic License. -var crowdstrikeFalcon = (function() { +var crowdstrikeFalconProcessor = (function () { var processor = require("processor"); - var convertUnderscore = function(text) { - return text.split(/(?=[A-Z])/).join('_').toLowerCase(); - }; - - var decodeJson = new processor.DecodeJSONFields({ - fields: ["message"], - target: "crowdstrike", - process_array: true, - max_depth: 8 - }); - - var dropFields = function(evt) { - evt.Delete("message"); - evt.Delete("host.name"); - }; - - var setFields = function (evt) { - evt.Put("agent.name", "falcon"); - }; - - var convertFields = new processor.Convert({ - fields: [ - // DetectionSummaryEvent - { from: "crowdstrike.event.LocalIP", to: "source.ip", type: "ip" }, - { from: "crowdstrike.event.ProcessId", to: "process.pid" }, - // UserActivityAuditEvent and AuthActivityAuditEvent - { from: "crowdstrike.event.UserIp", to: "source.ip", type: "ip" }, - ], - mode: "copy", - ignore_missing: true, - ignore_failure: true - }); - - var parseTimestamp = new processor.Timestamp({ - field: "crowdstrike.metadata.eventCreationTime", - target_field: "@timestamp", - timezone: "UTC", - layouts: ["UNIX_MS"], - ignore_missing: false, - }); - - var processEvent = function(evt) { - var eventType = evt.Get("crowdstrike.metadata.eventType") - var outcome = evt.Get("crowdstrike.event.Success") - - evt.Put("event.kind", "event") - - if (outcome === true) { - evt.Put("event.outcome", "success") + // conversion helpers + function convertUnderscore(text) { + return text.split(/(?=[A-Z])/).join('_').toLowerCase(); + } + + function convertToMSEpoch(evt, field) { + var timestamp = evt.Get(field); + if (timestamp) { + if (timestamp < 100000000000) { // check if we have a seconds timestamp, this is roughly 1973 in MS + evt.Put(field, timestamp * 1000); + } + (new processor.Timestamp({ + field: field, + target_field: field, + timezone: "UTC", + layouts: ["UNIX_MS"] + })).Run(evt); } - else if (outcome === false) { - evt.Put("event.outcome", "failure") + } + + function convertProcess(evt) { + var commandLine = evt.Get("crowdstrike.event.CommandLine") + if (commandLine && commandLine.trim() !== "") { + var args = commandLine.split(' ').filter(function (arg) { + return arg !== ""; + }); + var executable = args[0] + + evt.Put("process.command_line", commandLine) + evt.Put("process.args", args) + evt.Put("process.executable", executable) } - else { - evt.Put("event.outcome", "unknown") + } + + function convertSourceDestination(evt) { + var localAddress = evt.Get("crowdstrike.event.LocalAddress"); + var localPort = evt.Get("crowdstrike.event.LocalPort"); + var remoteAddress = evt.Get("crowdstrike.event.RemoteAddress"); + var remotePort = evt.Get("crowdstrike.event.RemotePort"); + if (evt.Get("crowdstrike.event.ConnectionDirection") === "1") { + evt.Put("network.direction", "inbound") + evt.Put("source.ip", remoteAddress) + evt.Put("source.port", remotePort) + evt.Put("destination.ip", localAddress) + evt.Put("destination.port", localPort) + } else { + evt.Put("network.direction", "outbound") + evt.Put("destination.ip", remoteAddress) + evt.Put("destination.port", remotePort) + evt.Put("source.ip", localAddress) + evt.Put("source.port", localPort) } - - switch (eventType) { - case "DetectionSummaryEvent": + evt.AppendTo("related.ip", remoteAddress) + evt.AppendTo("related.ip", localAddress) + } + + function convertEventAction(evt) { + evt.Put("event.action", convertUnderscore(evt.Get("crowdstrike.metadata.eventType"))) + } + + function convertUsername(evt) { + var username = evt.Get("crowdstrike.event.UserName") + if (!username || username === "") { + username = evt.Get("crowdstrike.event.UserId") + } + if (username && username !== "") { + evt.Put("user.name", username) + if (username.split('@').length == 2) { + evt.Put("user.email", username) + } + evt.AppendTo("related.user", username) + } + } + + // event processors by type + var eventProcessors = { + DetectionSummaryEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "alert", + "event.category": ["malware"], + "event.type": ["info"], + "event.dataset": "crowdstrike.falcon_endpoint", + "agent.type": "falcon", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.LocalIP", + to: "source.ip", + type: "ip" + }, { + from: "crowdstrike.event.LocalIP", + to: "related.ip", + type: "ip" + }, { + from: "crowdstrike.event.ProcessId", + to: "process.pid" + }, { + from: "crowdstrike.event.ParentImageFileName", + to: "process.parent.executable" + }, { + from: "crowdstrike.event.ParentCommandLine", + to: "process.parent.command_line" + }, { + from: "crowdstrike.event.PatternDispositionDescription", + to: "event.action", + }, { + from: "crowdstrike.event.FalconHostLink", + to: "event.url", + }, { + from: "crowdstrike.event.Severity", + to: "event.severity", + }, { + from: "crowdstrike.event.DetectDescription", + to: "message", + }, { + from: "crowdstrike.event.FileName", + to: "process.name", + }, { + from: "crowdstrike.event.UserName", + to: "user.name", + }, + { + from: "crowdstrike.event.MachineDomain", + to: "user.domain", + }, + { + from: "crowdstrike.event.SensorId", + to: "agent.id", + }, + { + from: "crowdstrike.event.ComputerName", + to: "host.name", + }, + { + from: "crowdstrike.event.SHA256String", + to: "file.hash.sha256", + }, + { + from: "crowdstrike.event.MD5String", + to: "file.hash.md5", + }, + { + from: "crowdstrike.event.SHA1String", + to: "file.hash.sha1", + }, + { + from: "crowdstrike.event.DetectName", + to: "rule.name", + }, + { + from: "crowdstrike.event.DetectDescription", + to: "rule.description", + } + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { var tactic = evt.Get("crowdstrike.event.Tactic").toLowerCase() var technique = evt.Get("crowdstrike.event.Technique").toLowerCase() - evt.Put("threat.technique.name", technique) + evt.Put("threat.technique.name", technique) evt.Put("threat.tactic.name", tactic) - - evt.Put("event.action", evt.Get("crowdstrike.event.PatternDispositionDescription")) - evt.Put("event.kind", "alert") - evt.Put("event.type", ["info"]) - evt.Put("event.category", ["malware"]) - evt.Put("event.url", evt.Get("crowdstrike.event.FalconHostLink")) - evt.Put("event.dataset", "crowdstrike.falcon_endpoint") - - evt.Put("event.severity", evt.Get("crowdstrike.event.Severity")) - evt.Put("message", evt.Get("crowdstrike.event.DetectDescription")) - evt.Put("process.name", evt.Get("crowdstrike.event.FileName")) - - var command_line = evt.Get("crowdstrike.event.CommandLine") - var args = command_line.split(' ') - var executable = args[0] - - evt.Put("process.command_line", command_line) - evt.Put("process.args", args) - evt.Put("process.executable", executable) - - evt.Put("user.name", evt.Get("crowdstrike.event.UserName")) - evt.Put("user.domain", evt.Get("crowdstrike.event.MachineDomain")) - evt.Put("agent.id", evt.Get("crowdstrike.event.SensorId")) - evt.Put("host.name", evt.Get("crowdstrike.event.ComputerName")) - evt.Put("agent.type", "falcon") - evt.Put("file.hash.sha256", evt.Get("crowdstrike.event.SHA256String")) - evt.Put("file.hash.md5", evt.Get("crowdstrike.event.MD5String")) - evt.Put("rule.name", evt.Get("crowdstrike.event.DetectName")) - evt.Put("rule.description", evt.Get("crowdstrike.event.DetectDescription")) - - break; - - case "IncidentSummaryEvent": - evt.Put("event.kind", "alert") - evt.Put("event.type", ["info"]) - evt.Put("event.category", ["malware"]) - evt.Put("event.action", "incident") - evt.Put("event.url", evt.Get("crowdstrike.event.FalconHostLink")) - evt.Put("event.dataset", "crowdstrike.falcon_endpoint") - + convertProcess(evt) + }) + .Build(), + + IncidentSummaryEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "alert", + "event.category": ["malware"], + "event.type": ["info"], + "event.action": "incident", + "event.dataset": "crowdstrike.falcon_endpoint", + "agent.type": "falcon", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.FalconHostLink", + to: "event.url", + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { evt.Put("message", "Incident score " + evt.Get("crowdstrike.event.FineScore")) - - break; - - case "UserActivityAuditEvent": - var userid = evt.Get("crowdstrike.event.UserId") - evt.Put("user.name", userid) - if (userid.split('@').length == 2) { - evt.Put("user.email", userid) - } - - evt.Put("message", evt.Get("crowdstrike.event.OperationName")) - evt.Put("event.action", convertUnderscore(eventType)) - evt.Put("event.type", ["change"]) - evt.Put("event.category", ["iam"]) - evt.Put("event.dataset", "crowdstrike.falcon_audit") - - break; - - case "AuthActivityAuditEvent": - var userid = evt.Get("crowdstrike.event.UserId") - evt.Put("user.name", userid) - if (userid.split('@').length == 2) { - evt.Put("user.email", userid) - } - - evt.Put("message", evt.Get("crowdstrike.event.ServiceName")) + convertProcess(evt) + }) + .Build(), + + UserActivityAuditEvent: new processor.Chain() + .AddFields({ + fields: { + kind: "event", + category: ["iam"], + type: ["change"], + dataset: "crowdstrike.falcon_audit", + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.OperationName", + to: "message", + }, { + from: "crowdstrike.event.UserIp", + to: "source.ip", + type: "ip" + }, { + from: "crowdstrike.event.UserIp", + to: "related.ip", + type: "ip" + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(convertUsername) + .Add(convertEventAction) + .Build(), + + AuthActivityAuditEvent: new processor.Chain() + .AddFields({ + fields: { + kind: "event", + category: ["authentication"], + type: ["change"], + dataset: "crowdstrike.falcon_audit", + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.ServiceName", + to: "message", + }, { + from: "crowdstrike.event.UserIp", + to: "source.ip", + type: "ip" + }, { + from: "crowdstrike.event.UserIp", + to: "related.ip", + type: "ip" + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { evt.Put("event.action", convertUnderscore(evt.Get("crowdstrike.event.OperationName"))) - evt.Put("event.type", ["change"]) - evt.Put("event.category", ["authentication"]) - evt.Put("event.dataset", "crowdstrike.falcon_audit") - - break; - - case "RemoteResponseSessionStartEvent": - case "RemoteResponseSessionEndEvent": - var username = evt.Get("crowdstrike.event.UserName") - evt.Put("user.name", username) - if (username.split('@').length == 2) { - evt.Put("user.email", username) - } - - evt.Put("host.name", evt.Get("crowdstrike.event.HostnameField")) - evt.Put("event.action", convertUnderscore(eventType)) - evt.Put("event.dataset", "crowdstrike.falcon_audit") - - if (eventType == "RemoteResponseSessionStartEvent") { - evt.Put("event.type", ["start"]) - evt.Put("message", "Remote response session started") - } else { - evt.Put("event.type", ["end"]) - evt.Put("message", "Remote response session ended") - } - - break; - - default: - break; - } - } - - var pipeline = new processor.Chain() - .Add(decodeJson) - .Add(parseTimestamp) - .Add(dropFields) - .Add(convertFields) - .Add(processEvent) - .Build(); - - return { - process: pipeline.Run, - }; + convertUsername(evt) + }) + .Build(), + + FirewallMatchEvent: new processor.Chain() + .AddFields({ + fields: { + kind: "event", + category: ["network"], + type: ["start", "connection"], + outcome: ["unknown"], + dataset: "crowdstrike.falcon_endpoint", + }, + target: "event", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.Ipv", + to: "network.type", + }, { + from: "crowdstrike.event.PID", + to: "process.pid", + }, + { + from: "crowdstrike.event.RuleId", + to: "rule.id" + }, + { + from: "crowdstrike.event.RuleName", + to: "rule.name" + }, + { + from: "crowdstrike.event.RuleGroupName", + to: "rule.ruleset" + }, + { + from: "crowdstrike.event.RuleDescription", + to: "rule.description" + }, + { + from: "crowdstrike.event.RuleFamilyID", + to: "rule.category" + }, + { + from: "crowdstrike.event.HostName", + to: "host.name" + }, + { + from: "crowdstrike.event.Ipv", + to: "network.type", + }, + { + from: "crowdstrike.event.EventType", + to: "event.code", + } + ], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(function (evt) { + evt.Put("message", "Firewall Rule '" + evt.Get("crowdstrike.event.RuleName") + "' triggered") + convertEventAction(evt) + convertProcess(evt) + convertSourceDestination(evt) + }) + .Build(), + + RemoteResponseSessionStartEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "event", + "event.type": ["start"], + "event.dataset": "crowdstrike.falcon_audit", + message: "Remote response session started", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.HostnameField", + to: "host.name", + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(convertUsername) + .Add(convertEventAction) + .Build(), + + RemoteResponseSessionEndEvent: new processor.Chain() + .AddFields({ + fields: { + "event.kind": "event", + "event.type": ["end"], + "event.dataset": "crowdstrike.falcon_audit", + message: "Remote response session ended", + }, + target: "", + }) + .Convert({ + fields: [{ + from: "crowdstrike.event.HostnameField", + to: "host.name", + }], + mode: "copy", + ignore_missing: true, + fail_on_error: false + }) + .Add(convertUsername) + .Add(convertEventAction) + .Build(), + } + + // main processor + return new processor.Chain() + .DecodeJSONFields({ + fields: ["message"], + target: "crowdstrike", + process_array: true, + max_depth: 8 + }) + .Add(function (evt) { + evt.Delete("message"); + evt.Delete("host.name"); + + convertToMSEpoch(evt, "crowdstrike.event.ProcessStartTime") + convertToMSEpoch(evt, "crowdstrike.event.ProcessEndTime") + convertToMSEpoch(evt, "crowdstrike.event.IncidentStartTime") + convertToMSEpoch(evt, "crowdstrike.event.IncidentEndTime") + convertToMSEpoch(evt, "crowdstrike.event.StartTimestamp") + convertToMSEpoch(evt, "crowdstrike.event.EndTimestamp") + convertToMSEpoch(evt, "crowdstrike.event.UTCTimestamp") + convertToMSEpoch(evt, "crowdstrike.metadata.eventCreationTime") + + var outcome = evt.Get("crowdstrike.event.Success") + if (outcome === true) { + evt.Put("event.outcome", "success") + } else if (outcome === false) { + evt.Put("event.outcome", "failure") + } else { + evt.Put("event.outcome", "unknown") + } + + var eventProcessor = eventProcessors[evt.Get("crowdstrike.metadata.eventType")] + if (eventProcessor) { + eventProcessor.Run(evt) + } + }) + .Convert({ + fields: [{ + from: "crowdstrike.metadata.eventCreationTime", + to: "@timestamp", + }], + mode: "copy", + ignore_missing: false, + fail_on_error: true + }) + .Build() + .Run })(); function process(evt) { - crowdstrikeFalcon.process(evt); + crowdstrikeFalconProcessor(evt); } diff --git a/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml new file mode 100644 index 00000000000..3aa632ab715 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/ingest/pipeline.yml @@ -0,0 +1,31 @@ +description: Ingest pipeline for normalizing CrowdStrike Falcon logs +processors: + - set: + field: event.ingested + value: '{{_ingest.timestamp}}' + - script: + lang: painless + if: ctx?.crowdstrike?.event != null + params: + values: + - null + - '' + - '-' + - 'N/A' + source: | + ctx.crowdstrike.event.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); + - script: + lang: painless + if: ctx?.crowdstrike?.metadata != null + params: + values: + - null + - '' + - '-' + - 'N/A' + source: | + ctx.crowdstrike.metadata.entrySet().removeIf(entry -> params.values.contains(entry.getValue())); +on_failure: + - set: + field: error.message + value: '{{ _ingest.on_failure_message }}' diff --git a/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml b/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml index ab5f880e3a3..905124a0eab 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml +++ b/x-pack/filebeat/module/crowdstrike/falcon/manifest.yml @@ -8,3 +8,4 @@ var: default: [forwarded] input: config/falcon.yml +ingest_pipeline: ingest/pipeline.yml diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log index d23985338fc..1a403c955ce 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log @@ -150,10 +150,10 @@ ] } } -{ +{ "metadata": { "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "offset": 5, + "offset": 5, "eventType": "AuthActivityAuditEvent", "eventCreationTime": 1581601341730, "version": "1.0" @@ -167,10 +167,10 @@ "UTCTimestamp": 1581601341730 } } -{ +{ "metadata": { "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "offset": 6, + "offset": 6, "eventType": "AuthActivityAuditEvent", "eventCreationTime": 1581601520236, "version": "1.0" @@ -183,17 +183,17 @@ "Success": true, "UTCTimestamp": 1581601520236, "AuditKeyValues": [ - { + { "Key": "target_name", "ValueString": "first.last@company.com" } ] } } -{ +{ "metadata": { "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "offset": 7, + "offset": 7, "eventType": "AuthActivityAuditEvent", "eventCreationTime": 1581601572362, "version": "1.0" diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json index e515eb46583..4d21948cac7 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-audit-events.log-expected.json @@ -1,12 +1,11 @@ [ { - "@timestamp": "2020-02-27T19:12:14.000Z", "crowdstrike.event.HostnameField": "hostnameofmachine", "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", - "crowdstrike.event.StartTimestamp": 1582830734, + "crowdstrike.event.StartTimestamp": "2020-02-27T19:12:14.000Z", "crowdstrike.event.UserName": "first.last@company.com", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1582830734000, + "crowdstrike.metadata.eventCreationTime": "2020-02-27T19:12:14.000Z", "crowdstrike.metadata.eventType": "RemoteResponseSessionStartEvent", "crowdstrike.metadata.offset": 1045, "crowdstrike.metadata.version": "1.0", @@ -26,6 +25,7 @@ ], "log.offset": 0, "message": "Remote response session started", + "related.user": "first.last@company.com", "service.type": "crowdstrike", "tags": [ "forwarded" @@ -34,13 +34,12 @@ "user.name": "first.last@company.com" }, { - "@timestamp": "2020-02-27T19:12:52.000Z", - "crowdstrike.event.EndTimestamp": 1582830772, + "crowdstrike.event.EndTimestamp": "2020-02-27T19:12:52.000Z", "crowdstrike.event.HostnameField": "hostnameofmachine", "crowdstrike.event.SessionId": "6020260b-0398-4d41-999d-5531b55522de", "crowdstrike.event.UserName": "first.last@company.com", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1582830772000, + "crowdstrike.metadata.eventCreationTime": "2020-02-27T19:12:52.000Z", "crowdstrike.metadata.eventType": "RemoteResponseSessionEndEvent", "crowdstrike.metadata.offset": 1046, "crowdstrike.metadata.version": "1.0", @@ -60,6 +59,7 @@ ], "log.offset": 457, "message": "Remote response session ended", + "related.user": "first.last@company.com", "service.type": "crowdstrike", "tags": [ "forwarded" @@ -68,7 +68,6 @@ "user.name": "first.last@company.com" }, { - "@timestamp": "2020-02-12T21:29:10.710Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "APIClientID", @@ -94,11 +93,11 @@ "crowdstrike.event.OperationName": "streamStarted", "crowdstrike.event.ServiceName": "Crowdstrike Streaming API", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581542950, + "crowdstrike.event.UTCTimestamp": "2020-02-12T21:29:10.000Z", "crowdstrike.event.UserId": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", "crowdstrike.event.UserIp": "10.10.0.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581542950710, + "crowdstrike.metadata.eventCreationTime": "2020-02-12T21:29:10.710Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 0, "crowdstrike.metadata.version": "1.0", @@ -120,6 +119,8 @@ ], "log.offset": 910, "message": "Crowdstrike Streaming API", + "related.ip": "10.10.0.8", + "related.user": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz", "service.type": "crowdstrike", "source.ip": "10.10.0.8", "tags": [ @@ -128,15 +129,14 @@ "user.name": "api-client-id:1234567890abcdefghijklmnopqrstuvwxyz" }, { - "@timestamp": "2020-02-12T21:39:37.147Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581543577147, + "crowdstrike.event.UTCTimestamp": "2020-02-12T21:39:37.147Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581543577147, + "crowdstrike.metadata.eventCreationTime": "2020-02-12T21:39:37.147Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 1, "crowdstrike.metadata.version": "1.0", @@ -158,6 +158,8 @@ ], "log.offset": 2152, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -167,15 +169,14 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-12T22:14:37.554Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581545677554, + "crowdstrike.event.UTCTimestamp": "2020-02-12T22:14:37.554Z", "crowdstrike.event.UserId": "bob@company.com", "crowdstrike.event.UserIp": "192.168.6.3", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581545677554, + "crowdstrike.metadata.eventCreationTime": "2020-02-12T22:14:37.554Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 2, "crowdstrike.metadata.version": "1.0", @@ -197,6 +198,8 @@ ], "log.offset": 2645, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.3", + "related.user": "bob@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.3", "tags": [ @@ -206,7 +209,6 @@ "user.name": "bob@company.com" }, { - "@timestamp": "2020-02-12T22:24:08.000Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "group_id", @@ -219,11 +221,11 @@ ], "crowdstrike.event.OperationName": "update_group", "crowdstrike.event.ServiceName": "groups", - "crowdstrike.event.UTCTimestamp": 1581546248, + "crowdstrike.event.UTCTimestamp": "2020-02-12T22:24:08.000Z", "crowdstrike.event.UserId": "chris@company.com", "crowdstrike.event.UserIp": "192.168.6.13", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581546248000, + "crowdstrike.metadata.eventCreationTime": "2020-02-12T22:24:08.000Z", "crowdstrike.metadata.eventType": "UserActivityAuditEvent", "crowdstrike.metadata.offset": 3, "crowdstrike.metadata.version": "1.0", @@ -245,6 +247,8 @@ ], "log.offset": 3136, "message": "update_group", + "related.ip": "192.168.6.13", + "related.user": "chris@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.13", "tags": [ @@ -254,7 +258,6 @@ "user.name": "chris@company.com" }, { - "@timestamp": "2020-02-13T13:41:52.140Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "target_name", @@ -264,11 +267,11 @@ "crowdstrike.event.OperationName": "requestResetPassword", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601312140, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:41:52.140Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601312140, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:41:52.140Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 4, "crowdstrike.metadata.version": "1.0", @@ -290,6 +293,8 @@ ], "log.offset": 3858, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -299,15 +304,14 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:42:21.730Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601341730, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:42:21.730Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601341730, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:42:21.730Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 5, "crowdstrike.metadata.version": "1.0", @@ -329,6 +333,8 @@ ], "log.offset": 4506, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -338,7 +344,6 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:45:20.236Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "target_name", @@ -348,11 +353,11 @@ "crowdstrike.event.OperationName": "changePassword", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601520236, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:45:20.236Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601520236, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:45:20.236Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 6, "crowdstrike.metadata.version": "1.0", @@ -372,8 +377,10 @@ "log.flags": [ "multiline" ], - "log.offset": 5003, + "log.offset": 4999, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -383,15 +390,14 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:46:12.362Z", "crowdstrike.event.OperationName": "userAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601572362, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:46:12.362Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601572362, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:46:12.362Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 7, "crowdstrike.metadata.version": "1.0", @@ -411,8 +417,10 @@ "log.flags": [ "multiline" ], - "log.offset": 5657, + "log.offset": 5646, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -422,15 +430,14 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:50:14.754Z", "crowdstrike.event.OperationName": "twoFactorAuthenticate", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601814754, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:50:14.754Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601814754, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:50:14.754Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 8, "crowdstrike.metadata.version": "1.0", @@ -450,8 +457,10 @@ "log.flags": [ "multiline" ], - "log.offset": 6149, + "log.offset": 6134, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -461,15 +470,14 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T13:50:20.289Z", "crowdstrike.event.OperationName": "selfAcceptEula", "crowdstrike.event.ServiceName": "CrowdStrike Authentication", "crowdstrike.event.Success": true, - "crowdstrike.event.UTCTimestamp": 1581601820289, + "crowdstrike.event.UTCTimestamp": "2020-02-13T13:50:20.289Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581601820289, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T13:50:20.289Z", "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", "crowdstrike.metadata.offset": 9, "crowdstrike.metadata.version": "1.0", @@ -489,8 +497,10 @@ "log.flags": [ "multiline" ], - "log.offset": 6642, + "log.offset": 6627, "message": "CrowdStrike Authentication", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ @@ -500,7 +510,6 @@ "user.name": "alice@company.com" }, { - "@timestamp": "2020-02-13T14:14:22.000Z", "crowdstrike.event.AuditKeyValues": [ { "Key": "detection_id", @@ -521,11 +530,11 @@ ], "crowdstrike.event.OperationName": "detection_update", "crowdstrike.event.ServiceName": "detections", - "crowdstrike.event.UTCTimestamp": 1581603262, + "crowdstrike.event.UTCTimestamp": "2020-02-13T14:14:22.000Z", "crowdstrike.event.UserId": "alice@company.com", "crowdstrike.event.UserIp": "192.168.6.8", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1581603262000, + "crowdstrike.metadata.eventCreationTime": "2020-02-13T14:14:22.000Z", "crowdstrike.metadata.eventType": "UserActivityAuditEvent", "crowdstrike.metadata.offset": 10, "crowdstrike.metadata.version": "1.0", @@ -545,8 +554,10 @@ "log.flags": [ "multiline" ], - "log.offset": 7128, + "log.offset": 7113, "message": "detection_update", + "related.ip": "192.168.6.8", + "related.user": "alice@company.com", "service.type": "crowdstrike", "source.ip": "192.168.6.8", "tags": [ diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log index 7842299bacf..0980bf0fb60 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log @@ -66,3 +66,29 @@ "FineScore": 1.2 } } +{ + "metadata": { + "customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "offset": 22865, + "eventType": "UserActivityAuditEvent", + "eventCreationTime": 1593186952000, + "version": "1.0" + }, + "event": { + "UserId": "Crowdstrike", + "UserIp": "", + "OperationName": "quarantined_file_update", + "ServiceName": "quarantined_files", + "AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "UTCTimestamp": 1593186952 + } +} diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json index 3213435b88c..47c0e10f47a 100644 --- a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-events.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2020-02-19T08:30:00.000Z", "crowdstrike.event.CommandLine": "C:\\Windows\\Explorer.EXE", "crowdstrike.event.ComputerName": "alice-laptop", "crowdstrike.event.DetectDescription": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", @@ -32,7 +31,7 @@ "crowdstrike.event.PatternDispositionValue": 16, "crowdstrike.event.ProcessEndTime": 0, "crowdstrike.event.ProcessId": 38684386611, - "crowdstrike.event.ProcessStartTime": 1536846339, + "crowdstrike.event.ProcessStartTime": "2018-09-13T13:45:39.000Z", "crowdstrike.event.SHA256String": "6a671b92a69755de6fd063fcbe4ba926d83b49f78c42dbaeed8cdb6bbc57576a", "crowdstrike.event.SensorId": "7c808b4c8878433287eea53d4a8c3268", "crowdstrike.event.Severity": 4, @@ -41,7 +40,7 @@ "crowdstrike.event.Technique": "Ransomware", "crowdstrike.event.UserName": "alice", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1582101000000, + "crowdstrike.metadata.eventCreationTime": "2020-02-19T08:30:00.000Z", "crowdstrike.metadata.eventType": "DetectionSummaryEvent", "crowdstrike.metadata.offset": 294564, "crowdstrike.metadata.version": "1.0", @@ -75,6 +74,7 @@ "process.executable": "C:\\Windows\\Explorer.EXE", "process.name": "explorer.exe", "process.pid": 38684386611, + "related.ip": "192.168.12.51", "rule.description": "Terminated a process related to the deletion of backups, which is often indicative of ransomware activity.", "rule.name": "Process Terminated", "service.type": "crowdstrike", @@ -88,14 +88,13 @@ "user.name": "alice" }, { - "@timestamp": "2020-03-04T04:17:56.766Z", "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:8f69fe9e-b995-4204-95ad-44f9bcf75b6b", "crowdstrike.event.FineScore": 1.2, - "crowdstrike.event.IncidentEndTime": 1583295470, - "crowdstrike.event.IncidentStartTime": 1583295228, + "crowdstrike.event.IncidentEndTime": "2020-03-04T04:17:50.000Z", + "crowdstrike.event.IncidentStartTime": "2020-03-04T04:13:48.000Z", "crowdstrike.event.State": "open", "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", - "crowdstrike.metadata.eventCreationTime": 1583295476766, + "crowdstrike.metadata.eventCreationTime": "2020-03-04T04:17:56.766Z", "crowdstrike.metadata.eventType": "IncidentSummaryEvent", "crowdstrike.metadata.offset": 1824, "crowdstrike.metadata.version": "1.0", @@ -122,5 +121,50 @@ "tags": [ "forwarded" ] + }, + { + "crowdstrike.event.AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "35b35a53da374816a6b471cf09e12019_a076d3121743755f2d4f8d4d5807f0bc013177f7847d09b48e76de88ace08c78" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "crowdstrike.event.OperationName": "quarantined_file_update", + "crowdstrike.event.ServiceName": "quarantined_files", + "crowdstrike.event.UTCTimestamp": "2020-06-26T15:55:52.000Z", + "crowdstrike.event.UserId": "Crowdstrike", + "crowdstrike.metadata.customerIDString": "8f69fe9e-b995-4204-95ad-44f9bcf75b6b", + "crowdstrike.metadata.eventCreationTime": "2020-06-26T15:55:52.000Z", + "crowdstrike.metadata.eventType": "UserActivityAuditEvent", + "crowdstrike.metadata.offset": 22865, + "crowdstrike.metadata.version": "1.0", + "event.action": "user_activity_audit_event", + "event.category": [ + "iam" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2579, + "message": "quarantined_file_update", + "related.user": "Crowdstrike", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.name": "Crowdstrike" } ] \ No newline at end of file diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log new file mode 100644 index 00000000000..efd3b565576 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log @@ -0,0 +1,254 @@ +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 70689, + "eventType": "FirewallMatchEvent", + "eventCreationTime": 1595248906000, + "version": "1.0" + }, + "event": { + "DeviceId": "718af202ab2c4ba5b6a5d10d39c0e0a5", + "CustomerId": "12345a1bc2d34fghi56jk7890lmno12p", + "Ipv": "ipv4", + "CommandLine": "", + "ConnectionDirection": "1", + "EventType": "FirewallRuleIP4Matched", + "Flags": { + "Audit": false, + "Log": false, + "Monitor": true + }, + "HostName": "TESTDEVICE01", + "ICMPCode": "", + "ICMPType": "", + "ImageFileName": "", + "LocalAddress": "10.37.60.194", + "LocalPort": "445", + "MatchCount": 1, + "MatchCountSinceLastReport": 1, + "NetworkProfile": "2", + "PID": "206158879910", + "PolicyName": "PROD-FW-Workstations-General", + "PolicyID": "74e7f1552a3a4d90a6d65578642c8584", + "Protocol": "6", + "RemoteAddress": "10.37.60.21", + "RemotePort": "54952", + "RuleAction": "2", + "RuleDescription": "", + "RuleFamilyID": "fec73e96a1bf4481be582c3f89b234fa", + "RuleGroupName": "SMB Rules", + "RuleName": "Inbound SMB Block \u0026 Log Private", + "RuleId": "4877172638743447345", + "Status": "", + "Timestamp": "2020-07-20T12:41:44Z", + "TreeID": "" + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57181, + "eventType": "IncidentSummaryEvent", + "eventCreationTime": 1595005328414, + "version": "1.0" + }, + "event": { + "IncidentStartTime": 1595005316, + "IncidentEndTime": 1595005316, + "FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:1234567893cd4e55b3a832ba2140478e:72e291e40c1544d390eabf135d875e54", + "State": "open", + "FineScore": 0.1, + "LateralMovement": 0 + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 70509, + "eventType": "AuthActivityAuditEvent", + "eventCreationTime": 1595247970093, + "version": "1.0" + }, + "event": { + "UserId": "first.last@company.com", + "UserIp": "165.225.220.184", + "OperationName": "saml2Assert", + "ServiceName": "Crowdstrike Authentication", + "Success": true, + "UTCTimestamp": 1595247970, + "AuditKeyValues": [ + { + "Key": "trace_id", + "ValueString": "b0b33836-555c-4e0e-a5ef-d368f6799f6b" + }, + { + "Key": "actor_user", + "ValueString": "first.last@company.com" + }, + { + "Key": "actor_user_uuid", + "ValueString": "123ab141-fab1-41c9-85c5-43a1ef90d2c2" + }, + { + "Key": "actor_cid", + "ValueString": "774694c2ef8c43fdb64ec3056ddfb96d" + }, + { + "Key": "target_user", + "ValueString": "first.last@company.com" + } + ] + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 70683, + "eventType": "UserActivityAuditEvent", + "eventCreationTime": 1595248885000, + "version": "1.0" + }, + "event": { + "UserId": "Crowdstrike", + "UserIp": "", + "OperationName": "quarantined_file_update", + "ServiceName": "quarantined_files", + "AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "ab1cde05567b455b93afbe2d3df352c9_328024a065630f897f09963d4b67b0c95d4054f540c2ca8014d5b012718bfa21" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "UTCTimestamp": 1595248885 + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57217, + "eventType": "RemoteResponseSessionStartEvent", + "eventCreationTime": 1595006093000, + "version": "1.0" + }, + "event": { + "SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "HostnameField": "TESTDEVICE01", + "UserName": "first.last@company.com", + "StartTimestamp": 1595006093 + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57269, + "eventType": "RemoteResponseSessionEndEvent", + "eventCreationTime": 1595006899000, + "version": "1.0" + }, + "event": { + "SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "HostnameField": "TESTDEVICE01", + "UserName": "first.last@company.com", + "EndTimestamp": 1595006899, + "Commands": [ + "cd \\Program Files (x86)\\Symantec", + "ls .", + "cd \\Program Files (x86)", + "ls .", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "reg set HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default GroupingTags -ValueType=```REG_SZ``` -Value=```Protect```", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "restart", + "restart -Confirm" + ] + } +} +{ + "metadata": { + "customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "offset": 57047, + "eventType": "DetectionSummaryEvent", + "eventCreationTime": 1595002291000, + "version": "1.0" + }, + "event": { + "ProcessStartTime": 1595002290, + "ProcessEndTime": 1595002290, + "ProcessId": 663790158277, + "ParentProcessId": 627311656469, + "ComputerName": "TESTDEVICE01", + "UserName": "First.last", + "DetectName": "NGAV", + "DetectDescription": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "Severity": 2, + "SeverityName": "Low", + "FileName": "filename.exe", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path", + "CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "SHA256String": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "MD5String": "0ab1235adca04aef6239f5496ef0a5df", + "SHA1String": "0000000000000000000000000000000000000000", + "MachineDomain": "NA", + "ExecutablesWritten": [ + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + }, + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + }, + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + }, + { + "Timestamp": 1595002290, + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder" + } + ], + "FalconHostLink": "https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p", + "SensorId": "1abcd2345b8c4151a0cb45dcfbe6d3d0", + "IOCType": "hash_sha256", + "IOCValue": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "DetectId": "ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719", + "LocalIP": "10.1.190.117", + "MACAddress": "54-ad-d4-d2-a8-0b", + "Tactic": "Machine Learning", + "Technique": "Sensor-based ML", + "Objective": "Falcon Detection Method", + "PatternDispositionDescription": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "PatternDispositionValue": 2304, + "PatternDispositionFlags": { + "Indicator": false, + "Detect": false, + "InddetMask": false, + "SensorOnly": false, + "Rooting": false, + "KillProcess": false, + "KillSubProcess": false, + "QuarantineMachine": false, + "QuarantineFile": false, + "PolicyDisabled": true, + "KillParent": false, + "OperationBlocked": false, + "ProcessBlocked": true, + "RegistryOperationBlocked": false, + "CriticalProcessDisabled": false, + "BootupSafeguardEnabled": false, + "FsOperationBlocked": false + }, + "ParentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "ParentCommandLine": "C:\\Windows\\Explorer.EXE", + "GrandparentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\userinit.exe", + "GrandparentCommandLine": "C:\\Windows\\system32\\userinit.exe" + } +} diff --git a/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json new file mode 100644 index 00000000000..e1fd5b6b0c7 --- /dev/null +++ b/x-pack/filebeat/module/crowdstrike/falcon/test/falcon-sample.log-expected.json @@ -0,0 +1,424 @@ +[ + { + "crowdstrike.event.ConnectionDirection": "1", + "crowdstrike.event.CustomerId": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.event.DeviceId": "718af202ab2c4ba5b6a5d10d39c0e0a5", + "crowdstrike.event.EventType": "FirewallRuleIP4Matched", + "crowdstrike.event.Flags.Audit": false, + "crowdstrike.event.Flags.Log": false, + "crowdstrike.event.Flags.Monitor": true, + "crowdstrike.event.HostName": "TESTDEVICE01", + "crowdstrike.event.Ipv": "ipv4", + "crowdstrike.event.LocalAddress": "10.37.60.194", + "crowdstrike.event.LocalPort": "445", + "crowdstrike.event.MatchCount": 1, + "crowdstrike.event.MatchCountSinceLastReport": 1, + "crowdstrike.event.NetworkProfile": "2", + "crowdstrike.event.PID": "206158879910", + "crowdstrike.event.PolicyID": "74e7f1552a3a4d90a6d65578642c8584", + "crowdstrike.event.PolicyName": "PROD-FW-Workstations-General", + "crowdstrike.event.Protocol": "6", + "crowdstrike.event.RemoteAddress": "10.37.60.21", + "crowdstrike.event.RemotePort": "54952", + "crowdstrike.event.RuleAction": "2", + "crowdstrike.event.RuleFamilyID": "fec73e96a1bf4481be582c3f89b234fa", + "crowdstrike.event.RuleGroupName": "SMB Rules", + "crowdstrike.event.RuleId": "4877172638743447345", + "crowdstrike.event.RuleName": "Inbound SMB Block & Log Private", + "crowdstrike.event.Timestamp": "2020-07-20T12:41:44Z", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-20T12:41:46.000Z", + "crowdstrike.metadata.eventType": "FirewallMatchEvent", + "crowdstrike.metadata.offset": 70689, + "crowdstrike.metadata.version": "1.0", + "destination.ip": "10.37.60.194", + "destination.port": "445", + "event.action": "firewall_match_event", + "event.category": [ + "network" + ], + "event.code": "FirewallRuleIP4Matched", + "event.dataset": "crowdstrike.falcon_endpoint", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": [ + "unknown" + ], + "event.type": [ + "start", + "connection" + ], + "fileset.name": "falcon", + "host.name": "TESTDEVICE01", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 0, + "message": "Firewall Rule 'Inbound SMB Block & Log Private' triggered", + "network.direction": "inbound", + "network.type": "ipv4", + "process.pid": "206158879910", + "related.ip": [ + "10.37.60.21", + "10.37.60.194" + ], + "rule.category": "fec73e96a1bf4481be582c3f89b234fa", + "rule.description": "", + "rule.id": "4877172638743447345", + "rule.name": "Inbound SMB Block & Log Private", + "rule.ruleset": "SMB Rules", + "service.type": "crowdstrike", + "source.ip": "10.37.60.21", + "source.port": "54952", + "tags": [ + "forwarded" + ] + }, + { + "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:1234567893cd4e55b3a832ba2140478e:72e291e40c1544d390eabf135d875e54", + "crowdstrike.event.FineScore": 0.1, + "crowdstrike.event.IncidentEndTime": "2020-07-17T17:01:56.000Z", + "crowdstrike.event.IncidentStartTime": "2020-07-17T17:01:56.000Z", + "crowdstrike.event.LateralMovement": 0, + "crowdstrike.event.State": "open", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T17:02:08.414Z", + "crowdstrike.metadata.eventType": "IncidentSummaryEvent", + "crowdstrike.metadata.offset": 57181, + "crowdstrike.metadata.version": "1.0", + "event.action": "incident", + "event.category": [ + "malware" + ], + "event.dataset": "crowdstrike.falcon_endpoint", + "event.kind": "alert", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "info" + ], + "event.url": "https://falcon.crowdstrike.com/crowdscore/incidents/details/inc:1234567893cd4e55b3a832ba2140478e:72e291e40c1544d390eabf135d875e54", + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 1469, + "message": "Incident score 0.1", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ] + }, + { + "crowdstrike.event.AuditKeyValues": [ + { + "Key": "trace_id", + "ValueString": "b0b33836-555c-4e0e-a5ef-d368f6799f6b" + }, + { + "Key": "actor_user", + "ValueString": "first.last@company.com" + }, + { + "Key": "actor_user_uuid", + "ValueString": "123ab141-fab1-41c9-85c5-43a1ef90d2c2" + }, + { + "Key": "actor_cid", + "ValueString": "774694c2ef8c43fdb64ec3056ddfb96d" + }, + { + "Key": "target_user", + "ValueString": "first.last@company.com" + } + ], + "crowdstrike.event.OperationName": "saml2Assert", + "crowdstrike.event.ServiceName": "Crowdstrike Authentication", + "crowdstrike.event.Success": true, + "crowdstrike.event.UTCTimestamp": "2020-07-20T12:26:10.000Z", + "crowdstrike.event.UserId": "first.last@company.com", + "crowdstrike.event.UserIp": "165.225.220.184", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-20T12:26:10.093Z", + "crowdstrike.metadata.eventType": "AuthActivityAuditEvent", + "crowdstrike.metadata.offset": 70509, + "crowdstrike.metadata.version": "1.0", + "event.action": "saml2_assert", + "event.category": [ + "authentication" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "success", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 2041, + "message": "Crowdstrike Authentication", + "related.ip": "165.225.220.184", + "related.user": "first.last@company.com", + "service.type": "crowdstrike", + "source.ip": "165.225.220.184", + "tags": [ + "forwarded" + ], + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" + }, + { + "crowdstrike.event.AuditKeyValues": [ + { + "Key": "quarantined_file_id", + "ValueString": "ab1cde05567b455b93afbe2d3df352c9_328024a065630f897f09963d4b67b0c95d4054f540c2ca8014d5b012718bfa21" + }, + { + "Key": "action_taken", + "ValueString": "quarantined" + } + ], + "crowdstrike.event.OperationName": "quarantined_file_update", + "crowdstrike.event.ServiceName": "quarantined_files", + "crowdstrike.event.UTCTimestamp": "2020-07-20T12:41:25.000Z", + "crowdstrike.event.UserId": "Crowdstrike", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-20T12:41:25.000Z", + "crowdstrike.metadata.eventType": "UserActivityAuditEvent", + "crowdstrike.metadata.offset": 70683, + "crowdstrike.metadata.version": "1.0", + "event.action": "user_activity_audit_event", + "event.category": [ + "iam" + ], + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "change" + ], + "fileset.name": "falcon", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 3219, + "message": "quarantined_file_update", + "related.user": "Crowdstrike", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.name": "Crowdstrike" + }, + { + "crowdstrike.event.HostnameField": "TESTDEVICE01", + "crowdstrike.event.SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "crowdstrike.event.StartTimestamp": "2020-07-17T17:14:53.000Z", + "crowdstrike.event.UserName": "first.last@company.com", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T17:14:53.000Z", + "crowdstrike.metadata.eventType": "RemoteResponseSessionStartEvent", + "crowdstrike.metadata.offset": 57217, + "crowdstrike.metadata.version": "1.0", + "event.action": "remote_response_session_start_event", + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "start" + ], + "fileset.name": "falcon", + "host.name": "TESTDEVICE01", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 4017, + "message": "Remote response session started", + "related.user": "first.last@company.com", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" + }, + { + "crowdstrike.event.Commands": [ + "cd \\Program Files (x86)\\Symantec", + "ls .", + "cd \\Program Files (x86)", + "ls .", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "reg set HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default GroupingTags -ValueType=```REG_SZ``` -Value=```Protect```", + "reg query HKEY_LOCAL_MACHINE\\SYSTEM\\CrowdStrike\\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\\{16e0423f-7058-48c9-a204-725362b67639}\\Default", + "restart", + "restart -Confirm" + ], + "crowdstrike.event.EndTimestamp": "2020-07-17T17:28:19.000Z", + "crowdstrike.event.HostnameField": "TESTDEVICE01", + "crowdstrike.event.SessionId": "330633db-1cda-4355-b0d8-2c2edc91fe3e", + "crowdstrike.event.UserName": "first.last@company.com", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T17:28:19.000Z", + "crowdstrike.metadata.eventType": "RemoteResponseSessionEndEvent", + "crowdstrike.metadata.offset": 57269, + "crowdstrike.metadata.version": "1.0", + "event.action": "remote_response_session_end_event", + "event.dataset": "crowdstrike.falcon_audit", + "event.kind": "event", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.type": [ + "end" + ], + "fileset.name": "falcon", + "host.name": "TESTDEVICE01", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 4466, + "message": "Remote response session ended", + "related.user": "first.last@company.com", + "service.type": "crowdstrike", + "tags": [ + "forwarded" + ], + "user.email": "first.last@company.com", + "user.name": "first.last@company.com" + }, + { + "crowdstrike.event.CommandLine": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "crowdstrike.event.ComputerName": "TESTDEVICE01", + "crowdstrike.event.DetectDescription": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "crowdstrike.event.DetectId": "ldt:1abcd2345b8c4151a0cb45dcfbe6d3d0:124559902719", + "crowdstrike.event.DetectName": "NGAV", + "crowdstrike.event.ExecutablesWritten": [ + { + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + }, + { + "FileName": "NEURO_200_J1939Configuration.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + }, + { + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + }, + { + "FileName": "NEURO_200_J1939CanPackMessage.mexw64", + "FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path\\is\\right\\here\\folder", + "Timestamp": 1595002290 + } + ], + "crowdstrike.event.FalconHostLink": "https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.event.FileName": "filename.exe", + "crowdstrike.event.FilePath": "\\Device\\HarddiskVolume2\\ProgramData\\file\\path", + "crowdstrike.event.GrandparentCommandLine": "C:\\Windows\\system32\\userinit.exe", + "crowdstrike.event.GrandparentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\System32\\userinit.exe", + "crowdstrike.event.IOCType": "hash_sha256", + "crowdstrike.event.IOCValue": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "crowdstrike.event.LocalIP": "10.1.190.117", + "crowdstrike.event.MACAddress": "54-ad-d4-d2-a8-0b", + "crowdstrike.event.MD5String": "0ab1235adca04aef6239f5496ef0a5df", + "crowdstrike.event.MachineDomain": "NA", + "crowdstrike.event.Objective": "Falcon Detection Method", + "crowdstrike.event.ParentCommandLine": "C:\\Windows\\Explorer.EXE", + "crowdstrike.event.ParentImageFileName": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "crowdstrike.event.ParentProcessId": 627311656469, + "crowdstrike.event.PatternDispositionDescription": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "crowdstrike.event.PatternDispositionFlags.BootupSafeguardEnabled": false, + "crowdstrike.event.PatternDispositionFlags.CriticalProcessDisabled": false, + "crowdstrike.event.PatternDispositionFlags.Detect": false, + "crowdstrike.event.PatternDispositionFlags.FsOperationBlocked": false, + "crowdstrike.event.PatternDispositionFlags.InddetMask": false, + "crowdstrike.event.PatternDispositionFlags.Indicator": false, + "crowdstrike.event.PatternDispositionFlags.KillParent": false, + "crowdstrike.event.PatternDispositionFlags.KillProcess": false, + "crowdstrike.event.PatternDispositionFlags.KillSubProcess": false, + "crowdstrike.event.PatternDispositionFlags.OperationBlocked": false, + "crowdstrike.event.PatternDispositionFlags.PolicyDisabled": true, + "crowdstrike.event.PatternDispositionFlags.ProcessBlocked": true, + "crowdstrike.event.PatternDispositionFlags.QuarantineFile": false, + "crowdstrike.event.PatternDispositionFlags.QuarantineMachine": false, + "crowdstrike.event.PatternDispositionFlags.RegistryOperationBlocked": false, + "crowdstrike.event.PatternDispositionFlags.Rooting": false, + "crowdstrike.event.PatternDispositionFlags.SensorOnly": false, + "crowdstrike.event.PatternDispositionValue": 2304, + "crowdstrike.event.ProcessEndTime": "2020-07-17T16:11:30.000Z", + "crowdstrike.event.ProcessId": 663790158277, + "crowdstrike.event.ProcessStartTime": "2020-07-17T16:11:30.000Z", + "crowdstrike.event.SHA1String": "0000000000000000000000000000000000000000", + "crowdstrike.event.SHA256String": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "crowdstrike.event.SensorId": "1abcd2345b8c4151a0cb45dcfbe6d3d0", + "crowdstrike.event.Severity": 2, + "crowdstrike.event.SeverityName": "Low", + "crowdstrike.event.Tactic": "Machine Learning", + "crowdstrike.event.Technique": "Sensor-based ML", + "crowdstrike.event.UserName": "First.last", + "crowdstrike.metadata.customerIDString": "12345a1bc2d34fghi56jk7890lmno12p", + "crowdstrike.metadata.eventCreationTime": "2020-07-17T16:11:31.000Z", + "crowdstrike.metadata.eventType": "DetectionSummaryEvent", + "crowdstrike.metadata.offset": 57047, + "crowdstrike.metadata.version": "1.0", + "event.action": "Detection, process would have been blocked if related prevention policy setting was enabled.", + "event.category": [ + "malware" + ], + "event.dataset": "crowdstrike.falcon_endpoint", + "event.kind": "alert", + "event.module": "crowdstrike", + "event.outcome": "unknown", + "event.severity": 2, + "event.type": [ + "info" + ], + "event.url": "https://falcon.crowdstrike.com/activity/detections/detail/1abcd2345b8c4151a0cb45dcfbe6d3d0/124559902719?_cid=12345a1bc2d34fghi56jk7890lmno12p", + "file.hash.md5": "0ab1235adca04aef6239f5496ef0a5df", + "file.hash.sha1": "0000000000000000000000000000000000000000", + "file.hash.sha256": "0a123b185f9a32fde1df59897089014c92e3d08a0533b54baa72ba2a93d64deb", + "fileset.name": "falcon", + "host.name": "TESTDEVICE01", + "input.type": "log", + "log.flags": [ + "multiline" + ], + "log.offset": 5646, + "message": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "process.args": [ + "\"C:\\ProgramData\\file\\path\\filename.exe\"" + ], + "process.command_line": "\"C:\\ProgramData\\file\\path\\filename.exe\" ", + "process.executable": "\"C:\\ProgramData\\file\\path\\filename.exe\"", + "process.name": "filename.exe", + "process.parent.command_line": "C:\\Windows\\Explorer.EXE", + "process.parent.executable": "\\Device\\HarddiskVolume2\\Windows\\explorer.exe", + "process.pid": 663790158277, + "related.ip": "10.1.190.117", + "rule.description": "This file meets the machine learning-based on-sensor AV protection's low confidence threshold for malicious files.", + "rule.name": "NGAV", + "service.type": "crowdstrike", + "source.ip": "10.1.190.117", + "tags": [ + "forwarded" + ], + "threat.tactic.name": "machine learning", + "threat.technique.name": "sensor-based ml", + "user.domain": "NA", + "user.name": "First.last" + } +] \ No newline at end of file diff --git a/x-pack/filebeat/module/crowdstrike/fields.go b/x-pack/filebeat/module/crowdstrike/fields.go index e4a1224d75e..11622ad9ea7 100644 --- a/x-pack/filebeat/module/crowdstrike/fields.go +++ b/x-pack/filebeat/module/crowdstrike/fields.go @@ -19,5 +19,5 @@ func init() { // AssetCrowdstrike returns asset data. // This is the base64 encoded gzipped contents of module/crowdstrike. func AssetCrowdstrike() string { - return "eJy8mc1u4zYQx+95isGeuzkU2B58KGDYDtZoshvETtvbYkyNLTYSqZIje/32BUlJUWw5lmymOQWm+OdPw/kgR5/hhfYjEEbvEstGvtANAEvOaASfJq+/froBMJQRWhrBihhvABKywsiCpVYj+P0GAOBBJ2VGsNYGhM4yEizVBlo6QFtSbG9vANaSssSO/LzPoDCnQw73x/uCRrAxuiyqXzqWdX93Xs4v3V7vDjOhVVgWUCWAGRmGBBlvq7ltkDZMTozuuWagscxDNVJNbT1wAs7bhhihNcujEoq0guMUGaQSWZmQf22PyzIny5gXt22MI6OEtddYZvzDy49gjZml1vDha7Zf1RMs9wW9Ga0XeqH9TpvkYOydV3V/U2K3/VotyjxHs5+5JX6BuRIyIcVvf32iXDM9kS20srQga91ERsPvPTBTSTU8LjkdC5Zbyftxmch6mjbwbMkcDzW4p80xMYSOfynzbrMkyIcDZ2yyTMlvKHAqbbXtWojSGEpAK+CUgFRSaKmcK8DzcgLP3+Z//3hYOG/JkW/fB9frtSXupJWKaUNmGPB3rweqzFdkgoeyQfFiPWqmhbcQ6HVA9y8kFVg2hPktLN1rSgulpQRYg995ud5DqeS/JUFS+0grLbzzdqK0rHMy8+mCjVSbeM46qZRrQtkyVCfKlozzwHgEC5FSjke6R0mJ3nhvk5G8Uw9KR2HGO/moSZaxMk+3JR+NFmStD/bIoVYEabBOOwTeJUFVEc5U8kF8TCaXKoTStZTzQ7+7IvorSZhPXe1HDkHsIr0J3HNQaEjxR6B54caClxNOdF6UTOYbntjai6LZqdVZUVQrwC4lQ2/hmux/htIVsbiETtGLA1qrhfS220lOB1kvFPmPs90wjumrcMxzTDM8lGpBWzKS9/HcvlYEK7QZbKV6dtz9OmBi+nkuVd3JjOIyOMXgzZVJWk5d5whX3oZYy2k+IqfxKJ1ac1b6SaJkXGXXBeBE5zmq5F6qiNacvbIVDtlTibASZFIRoNmUeY8T2+Lr+Ncvv8U+rQVVsGV+uTW7eR+mX2LDPky/XEfaDYoilYqmOkcZM9l5vSZU8rDKVaThAv5VW76X6iViAXu6d7V+K2l3UFOlqhY9mw6V1ebEqeQypnCtmU87LVa1IqxftldB+//Y+u7mvRaYzR/jYc0fAZPEuARdRUiqLV8XG+PJOEhGjOLxJDrnEgVLEZFxvnyaAXtVEMi00WY/9IywJJF6T4nOVQtfjPZ99Y97bhsTjTjViQPpf6NhJqOm0hbaSjfhQ06d45DKGF9IwWrfL6Eds/2J2YmdvOj4eTqHYIt3MOVdhpvuWNV+yweeBZ0aSJVIgb79HNhsL7gFH9/kr9jGv1LilEIxlVXn050GcjR7kBZ0Qco3WrTaaMeqDYhM27MXwqaNGrltsnhtldSHgIa71ZXo15KoIeN2TmZVVzwC4J1UtHC3lk60daZxoO95MQ9WQ/W42Mes8rMcZfZaqQyU7p5/ouj7Pl8fwOJD6n0XksM9VwYKMr5XFvcKGfqhtlw5jbMnR7OVIvIdthLtMEv9reAcVSnEqUPPSuuM8LBAndurkEO1cQVyV6UybUBpbn/B2KEFG9Zel9k5f1pOlvUnrUgJodF7x3TDc4P/VvQH7X0J7TaqIss0uFPhe+3+U8qODIFIUW0ocYD9dzp8/4qZOCpJlyqqY5nxn9zAVN/cwIYnzqC5i577z79nPDwn+6bBU19N6yJQ0faDbKpmTDfsKJ1voYb7YFU4Y1IeVc8ejP8FAAD//637dzY=" + return "eJy8m19v47gRwN/zKQZ3r72gXWCvRR4KGHayazTJBrG317cDQ40tNhSpI0f2+dsfSEqKbMuWZFObpyCShj8OyfnL/ALvuLsDbvQ2sWTEO94AkCCJd/DT9OOvP90AGJTILN7BGxK7AUjQciNyElrdwb9vAACedFJIhJU2wLWUyEmoNTTkAG5Qkb29AVgJlIm989/9AopleMjhfmiX4x2sjS7y8i8tw7qfBy/OD90c74FJrlUYFphKgEk0BAkjdlt+2wRpwmRIzL1XP6g181Q+KT9tvHACzusGiUHjK4+KjKclHKWMQCguiwT9tD0uiQwtsSy/bWIcKSWMvWKFpN+9+DtYMWmx8fhwms2peoLlLse9p9VA77jbapMcPDszVfczQ3LLr9WiyDJmdvduiL/BgzC4ZVI+MeJp+be54iJBRftvvmKmCV/R5lpZXKC1ThgxQ+deuFdJ+XhSUDrhJDaCdpMiEdVn2sB3i+b4UT2F0yqaGmRuTkuRtasqYXT4oENPyxT9IgOlwpZbQXNeGIMJaAWUIqBKci2U2x7wfTmF78/z//3+tHA7KGN0ex5cr1YWqZVWKMI1mmHA37w8UEX2hibsWjKMv1uPKjX3GgK9Cuh+QkKBJYMsu4Wlm6awUFhMgDT4lRerHRRK/FEgJNW+aZiKM7PjhSWdoZnPFmSEWsfbwNNSckUoGopqRdmgcTswHsGCp5ixI7lHhgr3dm9tpfymHmSiwhdnbFRtQEe1Ri9Gc7TWn/XIJy0PosE62eHcXXKmSsJ7lYzER2gyocJJupZyfrjtrjj8pUiYz1w4wCicYXfQ63PbBcUMKhoDzQuuNXg54VRneUFontmJpb3oMDtplVHk5QiwTdHgPlxt/DsonQ+LS+gkeuHArNVceN1tBaWDtBf8/ni6G8Yx+xAcM7SpHw+lWuAGjaBdvG1fSQTLtRmsperruOt1wET4Z5epehAS4zI4iWE3lyppbOrKRjjvNkRbTuYLozQepZNWh0p/Ii+IvcnrDuBUZxlTyaNQEbV5/8GWO2RPxcNIIIVCYGZdZD0CtsXXyT9ih2pOJtgii6zJxdfJp8+/jgD76fOvI+A+zT7HZn2afR4DlPFUKJzpjImYZtnLqw91Fka5ijRUD75qS49CvUd0ta+PLirZCNweeH+hykE7Dbey2pyIny5jCvnXfNaqsbKOYv2wvVzvj2Pru5qPmjM5f4mHNX8BliTGuZLyhKTa0nVnYzKdBJERT/FkGp1zyTgJHpFxvny9B/JSgTPCtTa7odHMEnnqd0p0rkrwxWjf3v7v3tvERENKdeJA+udeRGjUTNhcW+E+GCU+ngRTRuwdFbzt+hm0Y7b/MnliJS8KlE/bENbgHUz5INm6/axqv+QDo1YnDYRKBGe+dh7YbC+4BR3XHK5Yxt9SpBSDMxVlidZFAxkzOxAWdI7KV4S0WmvHqg1wqW1n6lrXeyMXeBYfRZ0qCKi5G/WTfsWTCjJujee+LOlHAHwQChcuv2pFW0nNBu49L8yDVVA9ShAxvfx9xoT88FQGCovmlNP3Bck+gPko/r4NyeF2uYEcja/qxU12Q+HWFm9ORmfkaDaCR862S6EtaqmaGl1UBeengp43rSWyQwfVtVbBhmrjHOS2NGXagNLUbLVsmQUbxl4Vsms/LafLqh8XySDU8s6obrht8E2t/+DOu9B2pSq0hINrKr4p4Hs+WzQIPGVqjYkD7L3SH6UE+5sRRNgeeVzCFxIPTBqJqoVtGMTlW4mw7y4gYVUFqPOo+J5iTBtXinRWrYwgjW9jgin7mGDDGx1oLid1v/kliYfnxO5VzaosuvJXJW0/yNrBxzwxLV5+H2r4cSl9fEzKI0d/LeMjIzRMPukNZvvtvg9MqY+KPx2YpVTISrGhLzckCAhtl3nG1hi/iOvLo2X7Jt/r7/SiGqUUetBnuqgI+sUwleQ/SnPrj9F6qq/BN4oOvxwTXabI+bdp3Gsr/u7QItwd8pdwwlFoxBJcZ7nRmbBdgdb82/R0Cns13MaJvoDu55YrOK341f2HmN6v5U5FZy3RxZUxGYJE0Aq2qeCNZKJv53WebyKeU6NJcy39SiqkrTbvYPCPAm2X5Z1qpULZZyZM+CWiliqRe2C8HrLLo8a/UNbc/LnRG5G4QC9cnevOelxgE9fCHoVKUnPnSUPA1LWHpk8vU51ExHl9mH7657/+7iWDEx1ceQ+OuMu0x7H0FrQPxzhecIwm8Mt8Fin4mhzDiGQwj+9qnOsZiMOYdlBXY8iu9igv2sSKTp2ooQzhVuh4+ijj+CEwI2hkGEUhcRLZP1RBBJhCYlml7oExSr9hn6Xxcg+gB5YJuTtxpCPQrLx8EF0G0LF8MbrIYxvAJoy/o+kH7EEzJkhPhJhh3z5A53r44Hiqi2iZ9nO4L61XsNojydxA2JXnfOAshOL4yCy9Yh7PrnTQgXWjhiiHWQLjx+7qxkYuqeyvIBmxXqPB1n+ROMh4njWByzcMyh3YwiCwN11Q6WbrQevu+EpLqbdCrY9vTzf6L5Kt7a2vtLZO8KKqdTPIZU40rCRbd3WCPMmjbr/4czWH1Ov+FE9aCdKHrdlIJFkQ3oemyqtGzj/ycpgOmueQP70YvRJypJyoytHyMEiXfrQUPPK1zz0Nefl9DH0giemBWzg67f2CGBUR79w0GayX3WUtDeJYSiCDZ1zez+f/k6qVtqwKxlRYKRFM4avj7KjV8FcAAAD//42ko/I=" } diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json index abf3264f09f..aeb8dfcbd46 100644 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json @@ -1,6 +1,5 @@ [ { - "@timestamp": "2016-01-29T08:09:59.000Z", "event.action": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -26,7 +25,6 @@ "rsa.network.alias_host": [ "nostrud4819.mail.test" ], - "rsa.time.event_time": "2016-01-29T08:09:59.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -34,7 +32,6 @@ ] }, { - "@timestamp": "2016-02-12T03:12:33.000Z", "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -59,7 +56,6 @@ "rsa.network.alias_host": [ "volup208.invalid" ], - "rsa.time.event_time": "2016-02-12T03:12:33.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -67,7 +63,6 @@ ] }, { - "@timestamp": "2020-02-26T10:15:08.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -92,7 +87,6 @@ "rsa.network.alias_host": [ "eius6159.www5.localhost" ], - "rsa.time.event_time": "2020-02-26T10:15:08.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -100,7 +94,6 @@ ] }, { - "@timestamp": "2016-03-12T05:17:42.000Z", "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -125,7 +118,6 @@ "rsa.network.alias_host": [ "ratvolup497.www.corp" ], - "rsa.time.event_time": "2016-03-12T05:17:42.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -133,7 +125,6 @@ ] }, { - "@timestamp": "2016-03-26T12:20:16.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -159,7 +150,6 @@ "rsa.network.alias_host": [ "tatno5625.api.local" ], - "rsa.time.event_time": "2016-03-26T12:20:16.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -167,7 +157,6 @@ ] }, { - "@timestamp": "2016-04-09T07:22:51.000Z", "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -199,7 +188,6 @@ "maveniam1399.mail.lan" ], "rsa.network.eth_host": "01:00:5e:dc:bb:8b", - "rsa.time.event_time": "2016-04-09T07:22:51.000Z", "service.type": "cylance", "source.ip": [ "10.124.61.119" @@ -211,7 +199,6 @@ "user.name": "occ" }, { - "@timestamp": "2020-04-24T14:25:25.000Z", "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -236,7 +223,6 @@ "rsa.network.alias_host": [ "nimadmin6499.local" ], - "rsa.time.event_time": "2020-04-24T14:25:25.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -244,7 +230,6 @@ ] }, { - "@timestamp": "2016-05-08T09:27:59.000Z", "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -270,7 +255,6 @@ "rsa.network.alias_host": [ "suntinc4934.www5.test" ], - "rsa.time.event_time": "2016-05-08T09:27:59.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -278,7 +262,6 @@ ] }, { - "@timestamp": "2016-05-22T04:30:33.000Z", "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -307,7 +290,6 @@ "rsa.network.alias_host": [ "reetdolo2451.www.example" ], - "rsa.time.event_time": "2016-05-22T04:30:33.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -316,7 +298,6 @@ "user.name": "usan" }, { - "@timestamp": "2016-06-05T11:33:08.000Z", "event.action": "Registration", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -337,7 +318,6 @@ "rsa.network.alias_host": [ "uis7612.www5.domain" ], - "rsa.time.event_time": "2016-06-05T11:33:08.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -345,7 +325,6 @@ ] }, { - "@timestamp": "2020-06-20T06:35:42.000Z", "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -370,7 +349,6 @@ "rsa.network.alias_host": [ "admi3749.api.lan" ], - "rsa.time.event_time": "2020-06-20T06:35:42.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -378,7 +356,6 @@ ] }, { - "@timestamp": "2016-07-04T13:38:16.000Z", "event.action": "fullaccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -408,7 +385,6 @@ "rsa.network.alias_host": [ "rudexerc703.internal.host" ], - "rsa.time.event_time": "2016-07-04T13:38:16.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -417,7 +393,6 @@ "user.name": "isaute" }, { - "@timestamp": "2016-07-18T20:40:00.000Z", "event.action": "cancel", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -444,7 +419,6 @@ "rsa.misc.checksum": "itecto", "rsa.misc.event_type": "threat_found", "rsa.misc.node": "sequatur", - "rsa.time.event_time": "2016-07-18T20:40:00.000Z", "service.type": "cylance", "source.ip": [ "10.199.98.186" @@ -455,7 +429,6 @@ ] }, { - "@timestamp": "2016-08-02T03:43:25.000Z", "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -487,7 +460,6 @@ "rsa.network.alias_host": [ "estqu1709.internal.example" ], - "rsa.time.event_time": "2016-08-02T03:43:25.000Z", "rsa.web.reputation_num": 145.898, "service.type": "cylance", "source.ip": [ @@ -499,7 +471,6 @@ ] }, { - "@timestamp": "2016-08-16T10:45:59.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -531,7 +502,6 @@ "xeac7155.www.localdomain" ], "rsa.network.eth_host": "01:00:5e:93:1c:9f", - "rsa.time.event_time": "2016-08-16T10:45:59.000Z", "service.type": "cylance", "source.ip": [ "10.143.239.210" @@ -543,7 +513,6 @@ "user.name": "oinBCSe" }, { - "@timestamp": "2016-08-30T05:48:33.000Z", "event.action": "accept", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -578,7 +547,6 @@ "rsa.network.alias_host": [ "maccusa5126.api.domain" ], - "rsa.time.event_time": "2016-08-30T05:48:33.000Z", "service.type": "cylance", "source.ip": [ "10.32.143.134" @@ -590,7 +558,6 @@ "user.name": "olupta" }, { - "@timestamp": "2019-09-13T12:51:07.000Z", "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -614,7 +581,6 @@ "rsa.network.alias_host": [ "llu4718.localhost" ], - "rsa.time.event_time": "2019-09-13T12:51:07.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -622,7 +588,6 @@ ] }, { - "@timestamp": "2019-09-28T07:53:42.000Z", "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -645,7 +610,6 @@ "rsa.misc.event_type": "DeviceRemove", "rsa.misc.mail_id": "tincu", "rsa.misc.policy_name": "taevit", - "rsa.time.event_time": "2019-09-28T07:53:42.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -653,7 +617,6 @@ ] }, { - "@timestamp": "2016-10-12T14:56:16.000Z", "event.action": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -676,7 +639,6 @@ "rsa.network.alias_host": [ "eaq908.api.home" ], - "rsa.time.event_time": "2016-10-12T14:56:16.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -684,7 +646,6 @@ ] }, { - "@timestamp": "2016-10-26T09:58:50.000Z", "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -714,7 +675,6 @@ "rsa.network.alias_host": [ "mcolab379.internal.home" ], - "rsa.time.event_time": "2016-10-26T09:58:50.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -723,7 +683,6 @@ "user.name": "fdeFi" }, { - "@timestamp": "2019-11-10T05:01:24.000Z", "event.action": "threat_quarantined", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -751,7 +710,6 @@ "rsa.misc.event_type": "threat_quarantined", "rsa.misc.node": "ectio", "rsa.network.eth_host": "01:00:5e:3f:c4:6c", - "rsa.time.event_time": "2019-11-10T05:01:24.000Z", "service.type": "cylance", "source.ip": [ "10.237.205.140" @@ -763,7 +721,6 @@ "user.name": "uames" }, { - "@timestamp": "2019-11-24T12:03:59.000Z", "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -788,7 +745,6 @@ "rsa.network.alias_host": [ "sciun4694.api.lan" ], - "rsa.time.event_time": "2019-11-24T12:03:59.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -796,7 +752,6 @@ ] }, { - "@timestamp": "2019-12-08T07:06:33.000Z", "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -818,7 +773,6 @@ "rsa.network.alias_host": [ "mni7200.mail.localdomain" ], - "rsa.time.event_time": "2019-12-08T07:06:33.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -826,7 +780,6 @@ ] }, { - "@timestamp": "2019-12-23T14:09:07.000Z", "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -846,7 +799,6 @@ "rsa.misc.event_type": "Device Policy Assigned", "rsa.misc.node": "quinesc", "rsa.network.zone": "madmi", - "rsa.time.event_time": "2019-12-23T14:09:07.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -854,7 +806,6 @@ ] }, { - "@timestamp": "2017-01-06T09:11:41.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -883,7 +834,6 @@ "rsa.network.alias_host": [ "ntoccae1705.internal.invalid" ], - "rsa.time.event_time": "2017-01-06T09:11:41.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -892,7 +842,6 @@ "user.name": "aperiame" }, { - "@timestamp": "2020-01-20T04:14:16.000Z", "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -916,7 +865,6 @@ "rsa.network.alias_host": [ "etconsec6708.internal.invalid" ], - "rsa.time.event_time": "2020-01-20T04:14:16.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -924,7 +872,6 @@ ] }, { - "@timestamp": "2017-02-03T11:16:50.000Z", "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -950,7 +897,6 @@ "rsa.network.alias_host": [ "Sedutp7428.internal.home" ], - "rsa.time.event_time": "2017-02-03T11:16:50.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -958,7 +904,6 @@ ] }, { - "@timestamp": "2017-02-18T06:19:24.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -983,7 +928,6 @@ "rsa.network.alias_host": [ "ati4639.www5.home" ], - "rsa.time.event_time": "2017-02-18T06:19:24.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -991,7 +935,6 @@ ] }, { - "@timestamp": "2017-03-04T13:21:59.000Z", "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1016,7 +959,6 @@ "rsa.network.alias_host": [ "torever662.www5.home" ], - "rsa.time.event_time": "2017-03-04T13:21:59.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1024,7 +966,6 @@ ] }, { - "@timestamp": "2017-03-18T08:24:33.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1050,7 +991,6 @@ "rsa.network.alias_host": [ "emeumfug4387.internal.lan" ], - "rsa.time.event_time": "2017-03-18T08:24:33.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1058,7 +998,6 @@ ] }, { - "@timestamp": "2017-04-02T03:27:07.000Z", "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1082,7 +1021,6 @@ "rsa.network.alias_host": [ "rumwrit764.www5.local" ], - "rsa.time.event_time": "2017-04-02T03:27:07.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1090,7 +1028,6 @@ ] }, { - "@timestamp": "2020-04-16T10:29:41.000Z", "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1113,7 +1050,6 @@ "rsa.investigations.event_vcat": "luptat", "rsa.misc.event_type": "SyslogSettingsSave", "rsa.misc.mail_id": "ritt", - "rsa.time.event_time": "2020-04-16T10:29:41.000Z", "service.type": "cylance", "source.ip": [ "10.13.66.97" @@ -1124,7 +1060,6 @@ ] }, { - "@timestamp": "2017-04-30T05:32:16.000Z", "event.action": "threat_quarantined", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1150,7 +1085,6 @@ "rsa.network.alias_host": [ "oremi1485.api.localhost" ], - "rsa.time.event_time": "2017-04-30T05:32:16.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1158,7 +1092,6 @@ ] }, { - "@timestamp": "2020-05-14T12:34:50.000Z", "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1180,7 +1113,6 @@ "rsa.network.alias_host": [ "periam126.api.host" ], - "rsa.time.event_time": "2020-05-14T12:34:50.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1188,7 +1120,6 @@ ] }, { - "@timestamp": "2017-05-29T07:37:24.000Z", "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1220,7 +1151,6 @@ "rsa.network.alias_host": [ "tate6578.api.localdomain" ], - "rsa.time.event_time": "2017-05-29T07:37:24.000Z", "rsa.web.reputation_num": 51.523, "service.type": "cylance", "source.ip": [ @@ -1232,7 +1162,6 @@ ] }, { - "@timestamp": "2017-06-12T14:39:58.000Z", "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1263,7 +1192,6 @@ "midestl1919.host" ], "rsa.network.eth_host": "01:00:5e:f9:78:c2", - "rsa.time.event_time": "2017-06-12T14:39:58.000Z", "service.type": "cylance", "source.ip": [ "10.124.88.222" @@ -1275,7 +1203,6 @@ "user.name": "onu" }, { - "@timestamp": "2017-06-26T09:42:33.000Z", "event.action": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1301,7 +1228,6 @@ "rsa.network.alias_host": [ "eiusmod3517.internal.invalid" ], - "rsa.time.event_time": "2017-06-26T09:42:33.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1309,7 +1235,6 @@ ] }, { - "@timestamp": "2017-07-11T04:45:07.000Z", "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1341,7 +1266,6 @@ "ntexpl3889.www.home" ], "rsa.network.eth_host": "01:00:5e:54:ab:3f", - "rsa.time.event_time": "2017-07-11T04:45:07.000Z", "service.type": "cylance", "source.ip": [ "10.156.34.19" @@ -1353,7 +1277,6 @@ "user.name": "imveni" }, { - "@timestamp": "2019-07-25T11:47:41.000Z", "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1384,7 +1307,6 @@ "ntium4450.www5.localdomain" ], "rsa.network.eth_host": "01:00:5e:ee:e8:77", - "rsa.time.event_time": "2019-07-25T11:47:41.000Z", "service.type": "cylance", "source.ip": [ "10.22.94.10" @@ -1396,7 +1318,6 @@ "user.name": "ssusci" }, { - "@timestamp": "2017-08-08T06:50:15.000Z", "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1420,7 +1341,6 @@ "rsa.network.alias_host": [ "erspi5757.local" ], - "rsa.time.event_time": "2017-08-08T06:50:15.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1428,7 +1348,6 @@ ] }, { - "@timestamp": "2019-08-22T13:52:50.000Z", "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1450,7 +1369,6 @@ "rsa.misc.device_name": "edolo", "rsa.misc.event_type": "threat_found", "rsa.misc.mail_id": "econs", - "rsa.time.event_time": "2019-08-22T13:52:50.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1458,7 +1376,6 @@ ] }, { - "@timestamp": "2017-09-06T08:55:00.000Z", "event.action": "allow", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1485,7 +1402,6 @@ "rsa.misc.checksum": "culpaq", "rsa.misc.event_type": "PolicyAdd", "rsa.misc.node": "fugits", - "rsa.time.event_time": "2017-09-06T08:55:00.000Z", "service.type": "cylance", "source.ip": [ "10.153.34.43" @@ -1496,7 +1412,6 @@ ] }, { - "@timestamp": "2017-09-20T03:57:58.000Z", "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1520,7 +1435,6 @@ "rsa.network.alias_host": [ "magnid3343.home" ], - "rsa.time.event_time": "2017-09-20T03:57:58.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1528,7 +1442,6 @@ ] }, { - "@timestamp": "2019-10-04T11:00:32.000Z", "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1551,7 +1464,6 @@ "asperna7623.www.home" ], "rsa.network.zone": "tat", - "rsa.time.event_time": "2019-10-04T11:00:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1559,7 +1471,6 @@ ] }, { - "@timestamp": "2017-10-19T06:03:07.000Z", "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1588,7 +1499,6 @@ "rsa.network.alias_host": [ "undeom845.www5.example" ], - "rsa.time.event_time": "2017-10-19T06:03:07.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1597,7 +1507,6 @@ "user.name": "tassita" }, { - "@timestamp": "2019-11-02T13:05:41.000Z", "event.action": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1617,7 +1526,6 @@ "rsa.misc.event_type": "threat_changed", "rsa.misc.node": "quira", "rsa.network.zone": "rror", - "rsa.time.event_time": "2019-11-02T13:05:41.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1625,7 +1533,6 @@ ] }, { - "@timestamp": "2017-11-16T08:08:15.000Z", "event.action": "threat_quarantined", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1657,7 +1564,6 @@ "rsa.network.alias_host": [ "ons5050.mail.test" ], - "rsa.time.event_time": "2017-11-16T08:08:15.000Z", "rsa.web.reputation_num": 75.498, "service.type": "cylance", "source.ip": [ @@ -1669,7 +1575,6 @@ ] }, { - "@timestamp": "2019-12-01T03:10:49.000Z", "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1700,7 +1605,6 @@ "oloreeu7597.mail.home" ], "rsa.network.eth_host": "01:00:5e:e8:41:ae", - "rsa.time.event_time": "2019-12-01T03:10:49.000Z", "service.type": "cylance", "source.ip": [ "10.7.99.47" @@ -1712,7 +1616,6 @@ "user.name": "evolupta" }, { - "@timestamp": "2017-12-15T10:13:24.000Z", "event.action": "Device Updated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1735,7 +1638,6 @@ "rsa.network.alias_host": [ "ueip5847.api.test" ], - "rsa.time.event_time": "2017-12-15T10:13:24.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1743,7 +1645,6 @@ ] }, { - "@timestamp": "2017-12-29T05:15:58.000Z", "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1773,7 +1674,6 @@ "rsa.network.alias_host": [ "uid3520.www.home" ], - "rsa.time.event_time": "2017-12-29T05:15:58.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1782,7 +1682,6 @@ "user.name": "ici" }, { - "@timestamp": "2020-01-12T12:18:32.000Z", "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1801,7 +1700,6 @@ "rsa.investigations.event_vcat": "iduntu", "rsa.misc.event_type": "SyslogSettingsSave", "rsa.misc.node": "inibusB", - "rsa.time.event_time": "2020-01-12T12:18:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1809,7 +1707,6 @@ ] }, { - "@timestamp": "2020-01-27T07:21:06.000Z", "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1829,7 +1726,6 @@ "rsa.misc.event_type": "SyslogSettingsSave", "rsa.misc.node": "imavenia", "rsa.network.zone": "expli", - "rsa.time.event_time": "2020-01-27T07:21:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1837,7 +1733,6 @@ ] }, { - "@timestamp": "2018-02-10T14:23:41.000Z", "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1862,7 +1757,6 @@ "rsa.network.alias_host": [ "teir7585.www5.localdomain" ], - "rsa.time.event_time": "2018-02-10T14:23:41.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1870,7 +1764,6 @@ ] }, { - "@timestamp": "2020-02-24T09:26:15.000Z", "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1891,7 +1784,6 @@ "rsa.misc.event_type": "SyslogSettingsSave", "rsa.misc.node": "quunt", "rsa.misc.serial_number": "volup", - "rsa.time.event_time": "2020-02-24T09:26:15.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1899,7 +1791,6 @@ ] }, { - "@timestamp": "2020-03-11T04:28:49.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1921,7 +1812,6 @@ "rsa.misc.device_name": "oreeu", "rsa.misc.event_type": "Alert", "rsa.misc.mail_id": "tassita", - "rsa.time.event_time": "2020-03-11T04:28:49.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1929,7 +1819,6 @@ ] }, { - "@timestamp": "2018-03-25T11:31:24.000Z", "event.action": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1952,7 +1841,6 @@ "rsa.network.alias_host": [ "serrorsi1096.www5.localdomain" ], - "rsa.time.event_time": "2018-03-25T11:31:24.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1960,7 +1848,6 @@ ] }, { - "@timestamp": "2018-04-08T06:33:58.000Z", "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -1984,7 +1871,6 @@ "rsa.network.alias_host": [ "prehen4807.mail.invalid" ], - "rsa.time.event_time": "2018-04-08T06:33:58.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -1992,7 +1878,6 @@ ] }, { - "@timestamp": "2018-04-22T13:36:32.000Z", "event.action": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2018,7 +1903,6 @@ "rsa.network.alias_host": [ "sit1400.www.lan" ], - "rsa.time.event_time": "2018-04-22T13:36:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2026,7 +1910,6 @@ ] }, { - "@timestamp": "2018-05-07T08:39:06.000Z", "event.action": "Device Updated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2047,7 +1930,6 @@ "rsa.network.alias_host": [ "sectetu7182.localdomain" ], - "rsa.time.event_time": "2018-05-07T08:39:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2055,7 +1937,6 @@ ] }, { - "@timestamp": "2018-05-21T03:41:41.000Z", "event.action": "ZoneAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2080,7 +1961,6 @@ "rsa.network.alias_host": [ "officiad4982.www5.domain" ], - "rsa.time.event_time": "2018-05-21T03:41:41.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2088,7 +1968,6 @@ ] }, { - "@timestamp": "2018-06-04T10:44:15.000Z", "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2111,7 +1990,6 @@ "rsa.network.alias_host": [ "consequa1486.internal.localdomain" ], - "rsa.time.event_time": "2018-06-04T10:44:15.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2119,7 +1997,6 @@ ] }, { - "@timestamp": "2018-06-19T05:46:49.000Z", "event.action": "fullaccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2150,7 +2027,6 @@ "its6443.mail.example" ], "rsa.network.eth_host": "01:00:5e:bc:c1:21", - "rsa.time.event_time": "2018-06-19T05:46:49.000Z", "service.type": "cylance", "source.ip": [ "10.139.80.71" @@ -2162,7 +2038,6 @@ "user.name": "orem" }, { - "@timestamp": "2018-07-03T12:49:23.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2194,7 +2069,6 @@ "rsa.network.alias_host": [ "tconsec7604.corp" ], - "rsa.time.event_time": "2018-07-03T12:49:23.000Z", "rsa.web.reputation_num": 105.845, "service.type": "cylance", "source.ip": [ @@ -2206,7 +2080,6 @@ ] }, { - "@timestamp": "2018-07-17T07:51:58.000Z", "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2232,7 +2105,6 @@ "rsa.network.alias_host": [ "tuser2694.internal.invalid" ], - "rsa.time.event_time": "2018-07-17T07:51:58.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2240,7 +2112,6 @@ ] }, { - "@timestamp": "2018-08-01T14:54:32.000Z", "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2263,7 +2134,6 @@ "rsa.network.alias_host": [ "gnaaliq5240.api.test" ], - "rsa.time.event_time": "2018-08-01T14:54:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2271,7 +2141,6 @@ ] }, { - "@timestamp": "2019-08-15T09:57:06.000Z", "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2293,7 +2162,6 @@ "rsa.network.alias_host": [ "illum2625.test" ], - "rsa.time.event_time": "2019-08-15T09:57:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2301,7 +2169,6 @@ ] }, { - "@timestamp": "2018-08-29T16:59:40.000Z", "event.action": "deny", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2332,7 +2199,6 @@ "rsa.network.alias_host": [ "nulamc5617.mail.host" ], - "rsa.time.event_time": "2018-08-29T16:59:40.000Z", "service.type": "cylance", "source.ip": [ "10.134.137.205" @@ -2343,7 +2209,6 @@ ] }, { - "@timestamp": "2018-09-12T12:02:15.000Z", "event.action": "threat_found", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2369,7 +2234,6 @@ "rsa.network.alias_host": [ "tatem4713.internal.host" ], - "rsa.time.event_time": "2018-09-12T12:02:15.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2377,7 +2241,6 @@ ] }, { - "@timestamp": "2018-09-27T07:04:49.000Z", "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2409,7 +2272,6 @@ "ugits5961.www5.local" ], "rsa.network.eth_host": "01:00:5e:42:41:00", - "rsa.time.event_time": "2018-09-27T07:04:49.000Z", "service.type": "cylance", "source.ip": [ "10.91.2.225" @@ -2421,7 +2283,6 @@ "user.name": "rsp" }, { - "@timestamp": "2018-10-11T14:07:23.000Z", "event.action": "block", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2456,7 +2317,6 @@ "rsa.network.alias_host": [ "prehende5460.mail.localdomain" ], - "rsa.time.event_time": "2018-10-11T14:07:23.000Z", "service.type": "cylance", "source.ip": [ "10.191.99.14" @@ -2468,7 +2328,6 @@ "user.name": "lapa" }, { - "@timestamp": "2019-10-25T09:09:57.000Z", "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2495,7 +2354,6 @@ "rsa.network.alias_host": [ "velites1745.api.corp" ], - "rsa.time.event_time": "2019-10-25T09:09:57.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2503,7 +2361,6 @@ ] }, { - "@timestamp": "2019-11-09T04:12:32.000Z", "event.action": "LoginSuccess", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2525,7 +2382,6 @@ "rsa.network.alias_host": [ "Duis583.api.local" ], - "rsa.time.event_time": "2019-11-09T04:12:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2533,7 +2389,6 @@ ] }, { - "@timestamp": "2018-11-23T11:15:06.000Z", "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2560,7 +2415,6 @@ "rsa.network.alias_host": [ "velitess2401.www.lan" ], - "rsa.time.event_time": "2018-11-23T11:15:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2568,7 +2422,6 @@ ] }, { - "@timestamp": "2018-12-07T06:17:40.000Z", "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2595,7 +2448,6 @@ "rsa.network.alias_host": [ "sequines3991.mail.local" ], - "rsa.time.event_time": "2018-12-07T06:17:40.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2603,7 +2455,6 @@ ] }, { - "@timestamp": "2018-12-21T13:20:14.000Z", "event.action": "pechange", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2635,7 +2486,6 @@ "rsa.network.alias_host": [ "iatquo2815.mail.host" ], - "rsa.time.event_time": "2018-12-21T13:20:14.000Z", "rsa.web.reputation_num": 38.593, "service.type": "cylance", "source.ip": [ @@ -2647,7 +2497,6 @@ ] }, { - "@timestamp": "2020-01-05T08:22:49.000Z", "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2669,7 +2518,6 @@ "rsa.misc.device_name": "atevelit", "rsa.misc.event_type": "Device Policy Assigned", "rsa.misc.mail_id": "uptate", - "rsa.time.event_time": "2020-01-05T08:22:49.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2677,7 +2525,6 @@ ] }, { - "@timestamp": "2020-01-19T03:25:23.000Z", "event.action": "ZoneAddDevice", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2704,7 +2551,6 @@ "rsa.network.alias_host": [ "issusci7005.mail.host" ], - "rsa.time.event_time": "2020-01-19T03:25:23.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2712,7 +2558,6 @@ ] }, { - "@timestamp": "2019-02-02T22:27:57.000Z", "event.action": "accept", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2743,7 +2588,6 @@ "rsa.network.alias_host": [ "umq7428.invalid" ], - "rsa.time.event_time": "2019-02-02T22:27:57.000Z", "service.type": "cylance", "source.ip": [ "10.164.59.219" @@ -2754,7 +2598,6 @@ ] }, { - "@timestamp": "2020-02-17T05:30:32.000Z", "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2776,7 +2619,6 @@ "rsa.misc.device_name": "rem", "rsa.misc.event_type": "PolicyAdd", "rsa.misc.mail_id": "rinci", - "rsa.time.event_time": "2020-02-17T05:30:32.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2784,7 +2626,6 @@ ] }, { - "@timestamp": "2019-03-03T12:33:06.000Z", "event.action": "block", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2815,7 +2656,6 @@ "rsa.network.alias_host": [ "epteurs5503.www5.home" ], - "rsa.time.event_time": "2019-03-03T12:33:06.000Z", "service.type": "cylance", "source.ip": [ "10.1.193.187" @@ -2826,7 +2666,6 @@ ] }, { - "@timestamp": "2020-03-17T07:35:40.000Z", "event.action": "DeviceRemove", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2849,7 +2688,6 @@ "rsa.misc.event_type": "DeviceRemove", "rsa.misc.mail_id": "riat", "rsa.misc.policy_name": "umdo", - "rsa.time.event_time": "2020-03-17T07:35:40.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2857,7 +2695,6 @@ ] }, { - "@timestamp": "2020-04-01T14:38:14.000Z", "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2881,7 +2718,6 @@ "rsa.network.alias_host": [ "omnisis5339.www5.local" ], - "rsa.time.event_time": "2020-04-01T14:38:14.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2889,7 +2725,6 @@ ] }, { - "@timestamp": "2019-04-15T09:40:49.000Z", "event.action": "SystemSecurity", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2914,7 +2749,6 @@ "rsa.network.alias_host": [ "ction491.www5.local" ], - "rsa.time.event_time": "2019-04-15T09:40:49.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -2922,7 +2756,6 @@ ] }, { - "@timestamp": "2019-04-29T04:43:23.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2954,7 +2787,6 @@ "undeom7847.api.corp" ], "rsa.network.eth_host": "01:00:5e:9a:f3:b9", - "rsa.time.event_time": "2019-04-29T04:43:23.000Z", "service.type": "cylance", "source.ip": [ "10.146.228.234" @@ -2966,7 +2798,6 @@ "user.name": "susc" }, { - "@timestamp": "2019-05-13T11:45:57.000Z", "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -2992,7 +2823,6 @@ "rsa.network.alias_host": [ "dolo6230.mail.invalid" ], - "rsa.time.event_time": "2019-05-13T11:45:57.000Z", "service.type": "cylance", "source.ip": [ "10.59.232.97" @@ -3003,7 +2833,6 @@ ] }, { - "@timestamp": "2019-05-28T06:48:31.000Z", "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3029,7 +2858,6 @@ "rsa.network.alias_host": [ "nvolup6280.api.home" ], - "rsa.time.event_time": "2019-05-28T06:48:31.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3037,7 +2865,6 @@ ] }, { - "@timestamp": "2019-06-11T13:51:06.000Z", "event.action": "PolicyAdd", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3063,7 +2890,6 @@ "rsa.network.alias_host": [ "urautodi3892.www5.example" ], - "rsa.time.event_time": "2019-06-11T13:51:06.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3071,7 +2897,6 @@ ] }, { - "@timestamp": "2020-06-25T08:53:40.000Z", "event.action": "allow", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3102,7 +2927,6 @@ "rsa.misc.device_name": "isciveli", "rsa.misc.event_type": "Alert", "rsa.misc.policy_name": "ing", - "rsa.time.event_time": "2020-06-25T08:53:40.000Z", "service.type": "cylance", "source.ip": [ "10.36.18.24" @@ -3114,7 +2938,6 @@ "user.name": "nsequ" }, { - "@timestamp": "2019-07-10T03:56:14.000Z", "event.action": "block", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3149,7 +2972,6 @@ "rsa.network.alias_host": [ "uraut3756.www5.test" ], - "rsa.time.event_time": "2019-07-10T03:56:14.000Z", "service.type": "cylance", "source.ip": [ "10.127.30.119" @@ -3161,7 +2983,6 @@ "user.name": "stenatus" }, { - "@timestamp": "2019-07-24T10:58:48.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3186,7 +3007,6 @@ "rsa.network.alias_host": [ "squ2213.www.test" ], - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3194,7 +3014,6 @@ ] }, { - "@timestamp": "2019-08-07T06:01:23.000Z", "event.action": "threat_changed", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3216,7 +3035,6 @@ "rsa.misc.device_name": "utod", "rsa.misc.event_type": "threat_changed", "rsa.misc.mail_id": "orinrep", - "rsa.time.event_time": "2019-08-07T06:01:23.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3224,7 +3042,6 @@ ] }, { - "@timestamp": "2019-08-21T13:03:57.000Z", "event.action": "deny", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3259,7 +3076,6 @@ "rsa.network.alias_host": [ "umet5891.api.localdomain" ], - "rsa.time.event_time": "2019-08-21T13:03:57.000Z", "service.type": "cylance", "source.ip": [ "10.8.150.213" @@ -3271,7 +3087,6 @@ "user.name": "ugiatnul" }, { - "@timestamp": "2019-09-05T08:06:31.000Z", "event.action": "DeviceEdit", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3297,7 +3112,6 @@ "rsa.network.alias_host": [ "umquam5574.internal.test" ], - "rsa.time.event_time": "2019-09-05T08:06:31.000Z", "service.type": "cylance", "source.ip": [ "10.108.59.10" @@ -3308,7 +3122,6 @@ ] }, { - "@timestamp": "2019-09-19T03:09:05.000Z", "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3335,7 +3148,6 @@ "rsa.network.alias_host": [ "volupt6822.api.invalid" ], - "rsa.time.event_time": "2019-09-19T03:09:05.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3343,7 +3155,6 @@ ] }, { - "@timestamp": "2019-10-03T10:11:40.000Z", "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3364,7 +3175,6 @@ "rsa.misc.event_type": "Device Policy Assigned", "rsa.misc.node": "stl", "rsa.misc.serial_number": "eumfugi", - "rsa.time.event_time": "2019-10-03T10:11:40.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3372,7 +3182,6 @@ ] }, { - "@timestamp": "2019-10-18T05:14:14.000Z", "event.action": "SyslogSettingsSave", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3393,7 +3202,6 @@ "rsa.misc.event_type": "SyslogSettingsSave", "rsa.misc.node": "tutlabo", "rsa.misc.serial_number": "ateveli", - "rsa.time.event_time": "2019-10-18T05:14:14.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3401,7 +3209,6 @@ ] }, { - "@timestamp": "2019-11-01T12:16:48.000Z", "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3430,7 +3237,6 @@ "rsa.network.alias_host": [ "amvol4075.mail.localhost" ], - "rsa.time.event_time": "2019-11-01T12:16:48.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3439,7 +3245,6 @@ "user.name": "pta" }, { - "@timestamp": "2019-11-15T07:19:22.000Z", "event.action": "Registration", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3464,7 +3269,6 @@ "rsa.network.alias_host": [ "asi4651.api.test" ], - "rsa.time.event_time": "2019-11-15T07:19:22.000Z", "service.type": "cylance", "tags": [ "cylance.protect", @@ -3472,7 +3276,6 @@ ] }, { - "@timestamp": "2019-11-30T14:21:57.000Z", "event.action": "Device Policy Assigned", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3498,7 +3301,6 @@ "rsa.network.alias_host": [ "perna6751.internal.home" ], - "rsa.time.event_time": "2019-11-30T14:21:57.000Z", "service.type": "cylance", "source.ip": [ "10.138.85.233" @@ -3509,7 +3311,6 @@ ] }, { - "@timestamp": "2019-12-14T09:24:31.000Z", "event.action": "ThreatUpdated", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3535,7 +3336,6 @@ "rsa.network.alias_host": [ "evolupta7790.internal.local" ], - "rsa.time.event_time": "2019-12-14T09:24:31.000Z", "service.type": "cylance", "tags": [ "cylance.protect", diff --git a/x-pack/filebeat/module/f5/_meta/config.yml b/x-pack/filebeat/module/f5/_meta/config.yml index a40427c7730..11ba78ad098 100644 --- a/x-pack/filebeat/module/f5/_meta/config.yml +++ b/x-pack/filebeat/module/f5/_meta/config.yml @@ -17,22 +17,3 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local - - firepass: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9509 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/filebeat/module/f5/_meta/docs.asciidoc b/x-pack/filebeat/module/f5/_meta/docs.asciidoc index 058a7aa3ea9..3b44e5fe63b 100644 --- a/x-pack/filebeat/module/f5/_meta/docs.asciidoc +++ b/x-pack/filebeat/module/f5/_meta/docs.asciidoc @@ -62,50 +62,5 @@ will be found under `rsa.raw`. The default is false. :fileset_ex!: -[float] -==== `firepass` fileset settings - -experimental[] - -NOTE: This was converted from RSA NetWitness log parser XML "firepass" device revision 0. - -*`var.input`*:: - -The input from which messages are read. One of `file`, `tcp` or `udp`. - -*`var.syslog_host`*:: - -The address to listen to UDP or TCP based syslog traffic. -Defaults to `localhost`. -Set to `0.0.0.0` to bind to all available interfaces. - -*`var.syslog_port`*:: - -The port to listen for syslog traffic. Defaults to `9509` - -NOTE: Ports below 1024 require Filebeat to run as root. - -*`var.tz_offset`*:: - -By default, datetimes in the logs will be interpreted as relative to -the timezone configured in the host where {beatname_uc} is running. If ingesting -logs from a host on a different timezone, use this field to set the timezone -offset so that datetimes are correctly parsed. Valid values are in the form -±HH:mm, for example, `-07:00` for `UTC-7`. - -*`var.rsa_fields`*:: - -Flag to control the addition of non-ECS fields to the event. Defaults to true, -which causes both ECS and custom fields under `rsa` to be are added. - -*`var.keep_raw_fields`*:: - -Flag to control the addition of the raw parser fields to the event. This fields -will be found under `rsa.raw`. The default is false. - -:has-dashboards!: - -:fileset_ex!: - :modulename!: diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json index b06452aca74..b3f74874b99 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -1556,8 +1556,8 @@ "observer.vendor": "F5", "process.pid": 1973, "related.ip": [ - "10.47.99.72", - "10.187.64.126" + "10.187.64.126", + "10.47.99.72" ], "rsa.internal.messageid": "01490500", "rsa.misc.category": "oremipsu", diff --git a/x-pack/filebeat/module/f5/fields.go b/x-pack/filebeat/module/f5/fields.go index c54966f5028..6adc122ebd7 100644 --- a/x-pack/filebeat/module/f5/fields.go +++ b/x-pack/filebeat/module/f5/fields.go @@ -19,5 +19,5 @@ func init() { // AssetF5 returns asset data. // This is the base64 encoded gzipped contents of module/f5. func AssetF5() string { - return "eJzsff9zGzey5+/7V+Dyw9lOOXTiJH63vn175ZWUjW5tR8+ynVdXWzUFYkASKwwwBjCkmL/+Cg3MF85gSIkChvK72x+2YpFsNBpAo7vR/env0A3dvkaLn/+EkGGG09fob2z53eUVekMI1RpdSc7IFr3DAi+p+hNCOdVEsdIwKV6jv/4JIYQWP6MFozzXsz8h/1+v4QP7v++QwAV9jQQ1G6luZkwYqhaY0Jn9e/M1hOSaqo1ihr5GRlXdT8y2pK8toxup8s7fc7rAFTcZDPkaLTDXdOfjAaf1/97jgiK5QGZFa8ZQwxjarKii8JlReLFgBK2wRnNKBZJzTdWa5rPB/JTG95jMUsmqvPtU+kJthwWuBeY70xsffWz80BDtIIVe7vx9/wjjCzZYlY8rpu33ENOo0jRHRiKCS1N5+Su8QQXVGi/tv7FBRBZU20lL+3mPNEJv5RKdUyJz2KqBiTharM/UsdOp6dI1FSazU4tM2DOcWPpe5BpkTqQwVBhtzwcT2mBhajZ0kEfDimMYzLHpfzDkjjme7BAIG7RZMbJCGGmqNZMCrZjRCKP31PzOjLD6yq/+bLA1msnqlax4jgRdU4XmtNl3JVaaonfUYMsaRgsli85QT9/KpX5xhckNNfrZgPw5U5QYvn2OjOcbow/UKQu3w0WHzVlQkJyuKT9CklyK/vnckeQ5LRUl2HhOcrpgguZICg5sGTznFBW4DHNV6GUW7cDsWeN3/pxfnv+A1phX/sSznArDFszvTnqLiUFcLt16qcFCwOyYJe93C3zPLkeJlWGk4ljB7/3CzkZ3xoD0UTsltDMGlMd3yuiSrKddk5f/f032r4kdNc2CPOz4yvm/MphIf1keDXdrfIzSS86aolpWiiS6ex8utlTn/2GcaYMNLagwj5E5XOXMZITj3hl+JOxRYdT2MTK2sjbVY2SMieMYS2sx1Zrj8e60nOJjtEdasS0ozWP6UCN2TcjP7HyxDgtYbgZ2yMBIeJgX0bNDBtQPeBHjUuyFViaSouhEVYLic+IaTDOS+FBAgvcWH5nCrK4E+1LR1oxWzfz9n7a7Tu2ZFMReDtjIx+7ZjqibNUurDrvSPbPDsAUjuHue38olulhTYdA1KGdUiZwq64Io6hXVYOoLdktzpKmxRHZ+vDuGHndY6kUY0H6ww9IswoD0vRZlGAmMH186bmMO5nUPmdxPBiupE9mr3X35q9SmqyJ5f0dqKnImlvWHOrRtOjGkr0e+7JgNNvjRqGAvr9Y/IZznyurKsePeF+5g9kZ+rcJdv0ot3lf/74rXSiu9bujrBRdI60bLcoTRkq2paIJkX68hYEV0XPwirQeSP0bj7+t40RgNaMhymyn6JcFadx8PYYFh3vMtSPnCDY2u4CA999Fsg9HHbUkRwUMNMqeIMrOiCn26FOaHV0gq9AuX2Pz4Es2xhl1UP5At2LJSYPodmPcx5u5XPG94Bk3nfEaIL9hfL2WqMNs+77ge+asPMEi1wSpPZtR1NFpn2l1JXl593rH3MFKU4/6SIqS32tDCX6KebUttRd1O1U549t9SsSUTmNe/2bVWDsghlf21JzHi8urzq4AIPPsDSTxcBA1HQynHuH3ajTo0HI+9fVYU51RN8nb9KwyFLs8f8krq+O0+lgKZ495KH3WQjZMseZwN14bWZWtowUGxrsuZ5JwSI9XXqICt9E6Qc2P3HNOIONHR3HK6Y6i+lX2zBe0R9CP0+AoyfyymaiE1JLsVUqD5drBoCCn6paLaWIKaFSXf+nWyX7aKHlFMVkiznKKn3yOzUhV6+fPPz9AGa6QpFc0oeyTxKIzXO0hCl1Jomk4U5KvZFURWwjQxhaqYO6Vnj7IOUkBP8VyuaUcYTAQzK2v1po2iuBg9P+Sr2TYnFhXNWdW302II6puQ5dgEFtgCMfPP6uX3P/xZO5X+ogQFWjP9z8Fs/mn9wbd4SxV6iS4EwaWuuHtZsS7lvfR6iPoDHz8CuZWhUX58if7dTvc5+vFH9O+ISGXtZZiFH/Q5+u/c/E/7RabRrlC+CS6hkDl9tL6u2NCMYM7nmNyktYAdc0IaODbYOL/CCpGKvJRMGHBNDA0nOMPmyKhSMlF+WmsP6pIShjlwDJxqI5W1rMXWWR32gzXmLHcbI8QUQgtZidzeMJwC80wsvXF0MHlx90QMKMd4C/THYc+z0cgqbLnE+WO55zw7SLM/KCqoUYwEvA7vCne/DL6wu+5rJWyvfWxai1Yu6mWboV/lxi7N0OdkAkllnTEj0Q2l5QGhPYob7ysRmpKEap2tWZ7lqV5dL2rNs6SCKmzgkOdWgh2/cM2UqTC3TvtO7F0EQhysYNbthrdyEIabhT/ql+dIWW2tIaACQsNqSU3ztYOS0CpR0tPJJeEy4fZLQiV5Choq/svzOvb6gRbSUHTt9ztRFC7a+XZMUdr/1Q8xX8HDix8p0yVnKTMbHrU7r9nA7H8UtpnVuQn3O5w6ewf4vV7vutpr8VfIf40XRqdeFoyf4I3ejmqdo6uzN1fe9iVYWPGwopSqb/EiuCK/ujSI6nGEPz65qwoccXDdQ6HUXVe+an/SOuzOzgHPfIZe/vwKbUDuBcUCYc7DsQII6oOZ1MaP0IYq6shigzjF2iApeuUiu0I8uZn4dQsxcFZTPNt62f0uVQ6Cg6wmSlZCcrnc9h/iFkwNrFiEfkZkhRUmxgnRHuot8A9Bc4Eq4XN6+E7MfLSiNnZBt3uoT/mIsOftEjyKwhqZUtTPCApvRnUaaNaeWYkJWKzujUL4mIMkpFI1RW2wyLHKkZCqwJz9EcrvlaoIyif3WQ5Hi0hW88GVdC8htVw3zLzgbEFhxgEHX1MiRT5iYLfLnWmTMs6yZ0JMEFmUnJrgBhgNomIw4I1iPTXYqTdT5kQb+dqOHdzOY1t5d2eObr9CCrOKtExtfWqsnJc2yyk/keAvRJ5C7JbkH1KkRlvYoxbt6LWJ6dJrP/YlPFBRyU70G2TorfGHD62p0p1yinxfHlhgfR+62bYUx5pmW6ZHpMppnu4e9Ek2/prSzYi1jVFn2jRf7L6vD28rJYsZUK2gKF8TKrBi0pn1RcUN+84wqhAuS15Xv7RYNgVA+ARKcxHi8LxT+4uOKcerRsw80UhuhHsZM7go+5FBz7EdzbI4PH1GI7Ji1ruROdUz9K7SBtykLlF7KrEZycvFhh65SHsV2GJh+V7TKSwhWOR6QCc7RRdUUUHchsDWtM7ZmuXWsoH9EFZk17Ui+9gTXniStyVTk82wXU/3FnRrdyIzfOsmq63Ss/aaZQo26P7YaMRFHw3hPLfauNFns8GQTTqZrGJroGJgyD2UYiP/2EcFLMgvFa0m20p2d7td1OrHDdYImMhH9g0w90NsoUY0CnYEmkCnLQuT4PZdFil4LbMErJZZCuu5jKmKdom+jE41ga3UuUVO40L23MfgHTO4Lu915xyrNg/ptWMeC9oLooeGEDsQhMnAiI9hWOuKp352GvGiZGWILOgLx0PjvEBWtlwMdggWXgQ7DuTIBqFrqphJWTqyZ2L16L4IsPOysy/kk7Z4cYAd6G7pptLFUoN3p5IStmCt4xO2bt1jzhimireV02czBRagCTGyvC2YqENUuX9kCfLt3eapFuHzrpfe9QSlQr9d+9RYpuuEgH5cDcavV2isSlKXUrOIiuNOewvcaZE7hClI5a/P7igKT8VNlg666J6qSFQFVYzcVxcF5zZBFdueiXUr2ZqT4dSSO9+Dqa2pyKXyCbN7Zybn/zoBek39tCvn/6Ik7EdbxtLXgg/EbTXofsacpk+JVffN8ED6qn+vZnyUa4Wb3GIhDcJo5REvwgm0XC6zOlHlJEq93oj3VupTYKbs6L6/Q7oVoFaD+ggb/gDVnfr07NELHivcgWsLvh3RyxVPmTcdFuCHilNgLKxOpTD0NrXF2jB0KVy8rsVDxXmu7f/BpYp5zVAIAObA5UxWWCxpJugmtS4Ye7ikm85TPxghxig2rwztaIhhjr52rFtrvXv9hVWHLnE0ZddIjrNksJX7hAaOYD+/yDHTtd8Czi1UgFmB1YCDus35UmuqZuiaukWpNFUzvKQA5e0z3RdS1TwMaNdknN1O4PfI/b6DWyEVmiu5sZ/Vf/W2pnO7RvGkL/MrrEzsMF1DOHZExZ8pOagOnepMSZ43ZmOqIyVL6h8UU93FbwTCnCrTZBepdlD/N/e85dVHBwQAkpACBnOOhBTfKVpS8GT2ZT+A2zDllUMqpeyBafwVWEmw414w98JWP/8MZrZhZuWNZafr0TkMOIdqE4Gk+G4p7X/vuQnASMkChmPCeePOY+ALYMAyKRfIagfDqJ6h61an9BsbdCur0nB85sr5Km2dGFcy6pJtcq9+veAxIrzSpt6Q/h+DZYKfMG1X0tdE+/iGNXzh03ETaHLrx52wsEfvYJnSGWVPDjlelstz4AJhrSVhEC+1qxH0J2HB3rIb+hphVK62mhHMUc70zXNUKuiJ8hxRQ56EDWWs8DG1l/e86F2djcIFNVRpVGINKF4agBwcFgGRRWG1mNx5tB+W1lBD9pp77j44lcXXWcMEF5NT30QWZTU8gwmWDaMNE7nc+HxaIgWhpXneZFKMCmMwzUXF+RZ9qTB3wc9cFpgJrzVEZyAuR66ubtQzlrm0Z+rWJHzLxA3NfS1QnYiONUSnvINiP/mmYW3G8n0LxweoEElVXbezkwtL9Bmo2fvt+lR8/Vb6yCu6HsL1NI/OVBWs39gpdYjVjwncuv2/39L+MbKlvWA8/RlvpvwLjNYcY0XzilBUvxzRcLhNU8UwzwK3abJL5BqGrM3m/v3YuQDtDTMaF6DkRh8FORAjYuxHtxfdCutVc0KtWRioMqzIymX+1jU2TZnhWU2pBxFmJ9IMM9OK2F81/x5WmiKrzwVikHNXCcIpVvZPAITXsuYLCH20U9WFnYdfH5zyq4Y4T4/6xiKymDPR4GZ3LyxfNqrucXutmar01JG+rjUCDIxH/KZ5IA0ciTM3usNkHI+UOg8ueWi8EZ+LMl+eo/dO0zz1wA3IddvzRb+Wt2dhu9oFoE8Ry++Eny/PQaS+5K1RE8Powe6LnEsDdFOYuU1kdcGG6bCTutbblFj2u6+6vkDbmQt749jCOd8T7hor+rNmYHR5ftCSjRWfO2DJWsZeiry1aGfozNVnerxT7j7Yb80Cg2r3Gz9848Nx88o0lZvSNJdRJTjVTjLSXSgbidZYMTzngypAB8rABCo5HlEEmgqdFB9lZ0G7pqobeWY1lbUw6vpCZtf5+sXlVd+GRh4y1kUUxuqyj2woeOdayPalxTGJLoVB12wpMCiLkS1aSpUSvPbJQH/ZTXpV224SUB3hPy0jnbMMuyyXgY3z/rePiAnCq5xadeYb2dqfz9DTi1tclJy+RlcuIOLIgvaeheMi8DI3+dsmBKfaqyXMGdM31uQ+gq97lOJ1wpjv/dXwgembPU+uRrHlkqp0LezCIvvcfQvwPIB1ulJUryTP7e5xvvpIp9Gdp/cJIgvDt3evlZ9+cDbGswaM4/I8XEZy59d5IosymzjvClbF515BG1cX39PV/DvLjhRQn7qAdjMyr8iYl+bN0hNljXU5b7SlVIA8YPV6zd9Ilzis8g1Wp8nQG6LqW+2K/UVkJzECjfzUKlGM3mFS4ymHjVurgib1Y6T4rjZQ1X4t5HzN6E2tFcU6em6wNthUsQznJh6FGT+Z22EHn8tbxPIX4/eXvVmrKTi0HH0aAB+7s2C5CB/d+h5L3H1vsMnPh333jrnOmJBVrDfOTh2JXkY/U1aTxgw6DCKyP0UmnBqZcWdLvOHc6j2kK0Ko1ouKows7PiIyp9puiRrsN+xZMJHT28gC4Eyb4yzPB+oWGBhcMVUzMacK3jcLrBiHDJ5ABM+9v4slwiDE7+xvgzMTCfahnDtwoRNZxH509LTJ5yyp0qUvunUaZiAybyK0CfE1wtOzkSJDF+Ya3sepE0qc8dUkeflYlfu2/RAzoVFODWY8EGSYy8p0fjcyNcknz82sI7a4yWMDPsYvUkOLkifL5nmDcrrA/gnII1/Wb/g+W9NaxWuqON5CIZeR/nJFTwMn0n4AXrf/NV3UVeAuVq8NMxUAM6LgxFrfYAjY9NDjGvUVqxPfITg2pwl0FZFFYc9Tmm105qgj1kn2LZVcs9zFz2oUuYLq0USoXJLjHxrvHy37hfHWaiTdvLywaXBbQtLTaXR9PXpaXf8vOT8y7nT09P63nPsHmPDpKlk64NxzSCh2K399dYkuBwZVl41kqLW+umQ/BxELu5pq2GVUR/o+8TCfWx027p2KyOYyT13xNai46xsdnhdkeRkxj1bx0RLck8EEleedELAvHXYJtM17CFuyvHnKGQniFbG9xkEZeISbP56R18y7rFJeU3V376tPDj2nfoiCZI1bSqpuFMGlfs1pqLy1RmHal7gxQSAkGBXPdwMiTXUlXmPG8fAhAzWhcAT1lQuq1EinBXeGjon1x3t3885K4QGg3APsYEo+3UCz5WxEI7Iim1d5vo0en2FFFrUOqEO30vQ4oPO9Uar4FBWTEVEOeiV2ma6mKEhgupu96jBXcZUz01TWtbhonqNQY7u2YsOpkvZ5Yf8kXZZYbAmuJ/PKzz5foKe+VuJzxa2tPGccCjggD+zitpTafvMZ+m4YaBD9V5gbITdixxHSlFQAZrHepT7SaZPgCUJw/bTQs7rK/b0vTXpLl5hs0adRd42zucKnKMr3A++ImAlUYCYWChd0bzpGiRV07U2Pk7BjXF7BsOi9zF1ydAsL2Mk6CzCFDlhfkCpgBZHKQ9rFjXtPN+jXSoAr+U7mlKOnTKxn3z5HTJLnaG7/j9r/wwLzrWZ69m34fdGQMltwPOicH9uG2rXwz64QDAqxLtCT27r5lVzsBWowMimn7q9zz2cNg6Cpshs5yNC6iKt3e5x9fvc7VhR9dAnA3377+d3vbz5cfPuty7ldY4XZ6J7cSHUTs2T54AH7vR6w+8I2GgTDIrYR4Wt24qKUNNcBJva62CZwYRZSUaEZialAOqGkBBwX8aMggfeBWESzDWbD5sQPjg4A9nlsovb4xC5R19U80aEw81wbFbvyHeq1kwXEundptHu0rvlIFyQ9ttilbQw2MGl8sUlb9+LrXSyJBRsNNNVTTRaIPXaqQTSiwDT75T1hpXw0nuD9AxeWeW//fxiO2prMrvPfSbZY3onRe0b2MnmSzVG/4+7jT8oJkrZ2Vrbjlz41TUZ7nWUHOJnPIOw22LmHX6ZryGo2xXsYFH0tMONW1jWYy5XXGZfn3do2QOKy7qChywCEwXhWYZ1znVkT8Yj5HJN4DenWvvroTBZFJfqRqAF34jjgpody957emr/TsE3d8KaPs6wfyts1FvnfZPjVrOXNYMOO0QwP5m448A5zutIlI0xGyxKdyoMH7jdYieGjw2NnXYuizGQqZXz9/t0V+s3FUduk1DAjXyZNJbj+j7foS0XVCHZrxUWmaB+pM21yQycgukUf6qKzYFpXY6WTiBdpl6iM3UbAEi2PChwdomoCj2MPppvHb9CAOVZFgtWyZBOEF3AZsQC5IVrl0brS7tCMi3a1QzrHpm8VPpTunAqyKrCKVVbS0N2WeNC++MGvT5gM0qmi0MxW0fcCoYu4BVQN4cUSoJYSkJXzfyWgWuLonTAc4lT07QWP7hmLfeF45LaCWtMzOtMiwwQao8QvP7G0tYjovHcIz5fl+idxa1bR73ciMmJUluuouOsd6pbycS9PdyC85ji6xhAZFUsmIhZFDkmnyI0W2SLTG2ZIdP0hsgWXG42L+LkrXdrCrNNRT/DqQkTGREp1wkRJVTHfRkt4H9AuyU0a4mvMU+wVVmalkkZm8Z+kgPr6pwwijvFp82Rnk8tllqcQtiUcP/+NiKzAt5kxscIGu4TtjuY0waVQMJGIaSbSMV1ynfE5z2I/i+7Q/j4h8ejI4B3asbEQu7RjV/V2af+ckParhLT/LSHt/5GQ9p/T0Day5HhOU6iUhnp890xkRcXB+J5vE9yTNfHyJoFdUlScLYsyjfVtrUzMl7GTkDxllsIo0fQLiR8bEZl2CYkJVlArksabtITTeJN6q6syQS9SIpqy6iSuqpHGuh70NoEKMdJYxywVbXBrkhCvBLsVWEhNSYJNuH5lpZLoUli/kqVZUZwnCKvJoswITxDDtoQTPJIAXTXfmvhhUUtZJ6FcVlmCNw2imGEE8wQFRDrDSyrINmLWVZe2wHz7B83nKfheZwADmoSyg4NJw7VLrE1Cfb4s16/SxKB1Nmfmz0mAxojO4vaK6xFWMrqq1kmOOVClRMWvctMuxh+t11aHMDUrF+ePHxxxxMHsS0LcocnHQ5Dr0F4wTlP4MDpbpFhEtohZnL1LOIVtoDNWQpJilkTVsXL9U65NOQDzj0RbK5KENmcLmsKN0RBoLmjOohWM7tJmIs0uKWRecaqJTCFtT5wtE+gmWeoNNlF7/neohzLIoxBWdMm0UTh+JKSlncDiU7RMJWqVTNYakMhVIv3qMvPdFk9A3SiKiwSGpCsFSsV2OuN6s5JMZ67DbHzqW6xwkg2ejxTCxqC8dv3tY9Nl2mARvc9xrs28UrGaBdZUqesVlIJqFZ3X+HZ0XZMcmyx0bljEb3Z9LNLAPppLnOexzwDLYz+r1tBBCe4iVmRESVkkQSWyhBO4aazI0iRHesSjFGIub6LDM5U6PmQpK3WpWGSiHBtmqujZZ5wJGg9ip6Wqo3bUaehC8W38sBaXDvU0W3AZ/TpviCdI+bc+b3StY4km0DjWh07AavTcBC6XSbauWCY5wKVUsRVYMa+WKY5ZwTRJoRYKnWTDpugDIagBcKXodKPrcAcAHTvjz1GNnY4nNpvYHkiSijLpGkBH90RlfMtIKrbMAv24Hkx3I6iKf2eVmWvKG51s1M7ULVnX4jXJJktQuOl74sRWBp5sbG1QZi6QFJ1drLX9MCOrWHX+A9L0tmTRHwJKqoqlwsIMMHdjUN4kIRz/6nVIZJ8+9bqARiCs5DLDuozYMKBLWuHYVBXFPIV9pygBOTjU0UTE4wvZUo4L4dqhLFWegOP4gUydIDasXWw4QT6AprETAVzD4wTOiaZf4m+AEEBrNKoJXCnNlgkUry5jR9m0IinOgSJ5dENaKxJCxY1A2MRrsdWlWenoqJprImIXSgS7xT6UqAPpjD19szTxt5UjGv9Fr+npGZvutoyO1lrl8yR56JXiCe7CSlOV5Sx21XuSthX1y1AKMRiiDS5iR4PXGRPa4EUCy2DNlElhhq9LkQC6yUhViZhh1hAsWgBR9E1lJPpQCTQYuskeSdgs7zPmLEdniubMoDOsco9mqAH+PcyO65yVUEpjHUKBDDTRR4BvQCRHoVKdJh+CiXSSuyhKLrd00FjwoPwWsooG6n3HPWZl6GJG0O9M0SW9RQXuAy20b7FiWfWbgSRnkjMNzRnq0f3SA4AS0lVZSmXQEHgUoc0KG8QMKhVdjG2FB6Tl3qcJRUjw3utoWEBMeGT3EVxozkTqjvwdVu1oXT41MnJJzYqqWft9vZLV4EZDSNA1VU07IiNRiZWm6B01GDqCu7OKGxE8fSuX+sWVK3t9hs59i6/nyKwCXYoADPgD9a2PgW2B3lPzOzOC6vA6Dzd1EuEtoGV3c4pgcDdZTbEiqxkTLMgf9NydAF+7pz6hFwYkQ7zguBLQ63dZQR/XGsQ9DODew2vfM6f0cNzNnBoQbt+/eMTZtwuRRaxpuhvyKgyLPtJbA6diLFwwRTfqEYXUNq57Dx2qBR/peAnouQnbgQN+rqYGKfqlotrsAe0+Plv5/lj5zmSAtjxuVKex+xGpJu90N5yyjyfHEbyN7fwdENr16+DMY/b+P9zf0A52eV4rBRg7vDfAa4iXxHvPLWwvlznWFLl07YYbNDhVzSr5X5yGX9G0gm84l8rB1wfFiBDWSFMK7c7w/n5VCguNyQTtfQcI025oAWZvu2lIpaAD2j6mS6oK5syNqZhuh3SNOdiacbqkiNM15QhrzZbCLVzbrz+89QGS+YT6G8bfs9PnJ+n0bDmrBPtS0X6bRBw+fB1+j0NMPK4LSm3RsNwdSCKFoJBbgTbMrMYUBUKBypDGYlf0qPKie7sWVpygT5orisslI5gjy8GI6wNcnJY7GGqkTePpZFeutjrMXiedbSN7Wa2xL3jMGdbZSib3CZwT17hr0EulbWpktWK3BU8YDwC5Q2O5hTvNN2IhnGI1e8O1tI74znk7h8dy9Kv/xQy9EdvmXwPqBnx5LQzC+YzIoqwMVWE1nCSMbyeWzj37pr8W0GNxZ0GY+Wf18vsf/mx93/POctQS+ybItt+nWdwXs7sGbvCWKvRvTUxOv/BsAHPhUx+7/if9nhctzzu7fu96HJm8fEi3Pek3TLHjzND73z5e2LlTRV3wBOKlOdNE0RILsrVWpTfPeD8XBIGEnqOP716jS2F+fPkcXb4/v/jP1+jTpTCvfkJPN6stEpSZFVWIrKT2rdKkUpQY+NYPr/7Xf3v2JCgRalYJdVxfHqBTZwUOt+PRiXffPY/5tduLlzVT4SOePy6mu7rpAOdHAsbd+YIP8dszTFvv5DNTpsIcvX3zPsjsH1LQdLGs43bG/5GCzsKytex+NSoUJnJYecISPMY7eM86LLGhG3yCFumwu6/QmzxXEKd1uzzETnP1kqI89p3zoW8hl2fvrtytNPo8VmA94evHTlDJWar+7kaXV5aVkeiXleGRnSCiyNCOPS7D2hLLXHetaRVEh12c58x+GfP2wbbTyz98z024AaxLCAdc+hN+vrsFBqy0udZJ7Lq7XmkYvfccXkllGpU8ULo5PLDBAjCzPax59cSyd/NhYllfJvW03o0JXtCQ3zhVFNdzB54v1loSZk1OFzca2DjI6mWFxZLOGteJSLFgy0rRHM23QJOKHLKGwnqmPBJ6YFA0OmItBwddJMA74BFt/24JV/QAgKKFNDTzmd3x84ziizYXOsOZS8VPQLo0Kg3xRYItsUhQLcxTHIdU+CdlAqHiPKsjcenM8r4Hb+cx64/WDSacwIK9MCuqBDXo47akz9Gn+hp7CwGwH9FVHQAb3AS/jVlqdaueCYyJEde4ZtrHxZ8jzHnQmCjbL0KCG1aQmLemyt6BTBiJtIHLnAn06XJUoRBIkE2mr6KrbEtUlgnavlnCiurYGb2WbIISF3cjxk5Fh3h7Am5da4WMU7GM3ikSeLbGR0IrdMQCdSYP5p0HGIEIpBMsEEa/SLXBKh/26UbozRKSvRTC9sTfQi7dnJoNpSJsekZGTbzvG7c0mHef6hwzCCDjITNiMEMmfJ4rpCUUzFi15FtshKe45lhM8Y5/hwBlnSDSCVEOJrgbsmxfUtbWg12CA7t788R+qaQEUAjW8fDg7vZij5VhpOJYIcCLRjUTTy9uX7+VS7lYhLu/U5KZFU2+vDvMfrQDutPY4fvC8m3ZfVOZFRXGJ4uPsq2rmMgJd0vocUOOs/5JUzXKsKwMkdNK2g85zvB1RQjVeoRnQB4/DhztuMQT4AtZE3cp1RYFChMGvE2hnHZ4pD0erVaCBz5dSmHvFau3QsZh80M0MJR2Z7WOh0c3cm9i5FBLoWaAM5o38/FxmJ49zATSzFQB/YmguIB6Fe2prrBGOJelvV3MijKF5Ea0S+YEZ/CtFLIYyauFnhyaOYj6aY0Ia9wzkVv9I5VuBIDRL4xT9MYzNhuI4S7BXtFMzJ3J0YTxZv4nSVcYFcG1z1qIK4XQHAOCiFnv/gBBuHy9a1+vEVsS4wmhc5myeiAw+Tld4TWTFViXRBalkgUbyVCkUzN3IfCcQxHZAp3t542JdaN2EjLZ53DH6kRBBnY4jNpc5ggGA+M3/KVe3c4t25630W3XlllWwvTL2WJb9DmUgWfkGLf+TlYQ3MdLKqhipJ4SCAQS/fqpBcys4KoN9XZDntkZ+WGmjRp//KzndAzs1snm9HL/nLx54cZKOK+ga9o44YYVVFu97qw9RUs6+ojkVyEaKMTBhQDgwQcug7rj1joGu/tkW+vHu83ph0xHa3J656n5gPGhGQ7mBjNuFcIdlMHXO7uXB2enJl07d9CizE0dXrloWKrTKJADerxRIF/vdvzx8JLFam0wzZLdTT+qSTVIzDN2B/0x6XaMObfBZmyMeihB68Wpo1fuVGaVFdSs5AleSfBOJBk5NvzXRhccsJSUTBp12vOq80FyH6+1jOzZl4kiIf85+/n779HTt+dvrp6hc6YNE8uK6RXNoRQ+yAuXS5kcF2jfSxhkyy4cH36Z4YsjGWNKJo4q7qv/tKsa4qA5MRCRj9b0+T7HhUDaf1P32wn8AU+hN1MsQjDpbaYY5rHQ6XoT+YBzVmk3ApIKaVYwjpVTT1Zt2jNE4F4Pl1fBOdcsnxJppJsp/8luhDqK2MPFbA95ujqLN2LfWYdnDV9p2In/+iARfDLYCz5wQztlGXk4lClVysSAwZMNiFqqJRbsjz1Z1SLdVrirsI+QdHdPjYh7wVSwljQR6s8vdji4LRzEl8Mu2slq/pViblYEK4pKRXNZMIGDBXcd9XSFDaPC6IPp8RxPOdu3+KSTddCPtEy0ce3ReWIVV4mVATCkdqr71eqEYEde2dxFoy5oThU2NM+iJZXt2R9W+fxSj9g8nl0puWZ5Ax7mv4fLkntLdbAxPPiPvdZ2bdqwgdNOkuUTzbIZ0mP9me3INIPNQyFzcs3c6/mqb7iPQMA1RmfMpuD3tTzpLdhMnR91KqGXgYk6GxUsVqyRNlI5jW+pFdRgGO0JfGtmv/UkPPuC5Tmn02m5dzDeXfVcYHk7eu8oPVe3x5hmuld+tA7CkNjWr7PPUcmxXTJ7P0uFqCBqW45F+SEVcgJ/8g4ZdKrxLX+V2qB3mKyYGHHpcpxIc3zTl/UnAZn+paJWfVj7yIGc6Rl6m+MSfYZ/OPsol8LVnf5zeHmiFV5TazlxihX6UlG1RYBBqEspNK0tqnBxqp1vBr+ZRl96DDxiKStWo0AKN32HyzfOZz2lCVhtN9AHD456V06hy1PagFl/j9fQ0jsgRtY39Bcv00hVQgT9WP28uXncy7ODkRqpsfMUM+9hpl8IjDZM5HKjkS4pYQtG7CfPQ3WCPk92eEDs9By/bc4NegqIsFSQ9hqCp8tnHWmhSsA9/pYuMdmiT3oX+LZ5gS36hbTRs2vtCBM47CO3fdfVAlagVg02mb0RBxJvcAAC1f87laZQzjMU3+600xvUY+i8zrwOzBhmGNxo/jdHTHaavN6xqfoMXx96r3XdBUx9HAV0OJtpAnbNg8Hu2rQJmW4ZBisUBqQ4XPwMZQMxWwKOVrjBlHO6YMLH6kE5AapfgcsR0EHg7qhCsUS8tQGYnvkXWzE2MdvUc/dYSiPYlE0M2xhMVsXEEPjtqCBwNPCOusuRpMnLnIl4HcSing07ZSgqTHt5BpRUt2wHlsXBaLfl/YGunQOu0959B7gusar3lP3z83YqmxUbQKkjezqsL+uS3+80PRO9Z4mDtZBqm27B/6JLLP56EDGmZmQXRb02z0NXkxXLX14A9QNzO5lJNJhVjbe+f1ajuyCjwihZHqM6clnNB8GFO+1xP6b1tumBcgTg0VV3THsOz2RRYrFtziMcO2in7/yVNVX2GsqYWMiwUYD1TeoaoQP6o+dF1pxtaFpU9MWXVDkCv1Scb9F/VJizBaM5Ooe6ZxccDLKyofOMSHnDTvTo/judIzd+6z9jPmbNR0ebbZ/Dy8qAyX1kC9PDZ/1DM4TvsuPD0S4mP0Mft6Wbehs5sMJxKzi+eIousqhgsj22LQ8uEKGe6BBsbZ+ZKUJ1jXG5y52LLJZS1dF+eGL+8HZkyTtYOZG3Uy2LMm0foj2isCMfjNzXbCopE1kiu0zZcex6oBKbcGiSiAzrmK/9HcLKl9NHplwpHnGZO1QjrkrjjGaVihUN6dDUVGV4Gc+nbElHv552SUdNf9wl7Xd9AsVCbw0VYFrFd04s/Wi7uTH0Vor2UmViW1RuiClqCXd07kcYFsyrF/6/zzwLL/x/+LymUNgfc6rC2Xl+Oid8PXeT6T6eQ8S102ptMJ3cN0SzLhUTC6rUyLvrcN6TzKtr+B8UfTA8OwGTNS7xorMMgSMFz9oy6ZEKDDHZ9rtw7/Z2232EDGLV/dM/6DBBa7zhJytXVE0Tj7A2u894enoGrR+foTMYP8waVWYisJQROZ9R5Zt/0p0szD3gvDTp03FHkJ0Ft4M+0R2k6L0rzf44Nip5f2iU8Gqja/ZHOFrDbhLplMt/XCBBl9Iwt4DlCuuRDlCaTA0r1FlKN/h4c0G71Mk6QA0SXHp7rAZOr+tvwgkpmi2nqKjYxTdquh5+HG20bLUJ07qKbnQCZUiWShete9gbCnBIlUoaAx0sSld7XtjB0TU8Tu/TTpNkSDTI4P4V+ek1pHbuv4w62vM4Ju+vPffwOK5CtebZOuWN3n9S9YHsIDN5ZrcerqLDNOpUhNkN9R51InCDb9p2Jd0LCXTrT0jDe51U6PL6zT/eXaEre0+h38RI95WW20SV1Mdw+3Ejw9yCGiIrSm70UUHkuynhtBhkoaZzDV5nAxEGaaC+BWGrBfdYuVSxASjkCYxcx0eDCjLqNADPBptqsg6fXS7XmLPcbcQAE31FOBmq9T5FCBK7oVvdV9uRdn6dQBqZ9sqYUmcMetAmIQ1LmUIgBD+C08SWoq58kYqZ7YETRWRRJMWJuyPfjg8fEAqX4G+YorzvacYOsWw4FpnWp2p4a0d2Ovx3P9u6RivIrSs1zkrJpkirDjHsOEDAATAV9gZArGSFhRgAZ6SGm/KjAiMjb7YTwTY3F4vvefj72zfv/b33ojd8c6EYqfqx/+iYbUzfZGvJq1QCeFP3cRa+z03TGbtu51sJZjR66pjQzwCtAwp76466PfIImA7OhleJtNlbz+snwYxPF5jtFh2sqYJMgUXFEZGC0NJYR/nareEIvMJmk1L7OsFbh71uoW0ZLaUySFr5/vq3N6EU3KDYY+87qZbTJ1j2Cwx2Qqxz7MBOgkAxf7/47eryCr3DtwUTedPWO7ysdm6Tp2HuNFEcmZafxmB2+6bVmE/hksXo6dmuyjFbTFeweeoi/HrKyc2OnWCZ18qX5x6l13Oxl0M+3aKcGCugnnHxX75uuCnMEfnQkox9uiFeYl3oE2U3+nbV4MU3j7qFK+59jnQVSFHHGv1FGyXF8q9zjskNZ9rQ/C8v/N+eN58ysaAk/NGCKbrBPGjI4Dnv/AZhkSMt0ci2VHTJtFFb69lPqSxKbFYerL/hAfV5GDAJQamp2HSF0K5ei0jVQSFv7MmGcypMJyel5ts3ZJw13dRmvcM/zvsY3zld4IqbDM7Ea7TAfKcUeWdKuxn87zvJEXWnyLZlfFu2ZhReLBiBRgJzSgWSc8CN6AB6Neui8T0m0z/YB6YyPPVNyNhyLRKbk4VODZM0olEU3qCCao2XHpeISKu/oYFZyJB8K5fonBKZjzz7eFrRY1QO8zliAlOP4Sm1ERRh2htNLhAT2mBhajbCPr5hR13i+fCeCpricA6Z9W6Nq3Nq2xOglfVtocPu78wIqnW9+oe7IAi6pqoLUFFipSl6Rw0GS93X3DZDPX0rl/rFlUuqfTYgf+7TwVqzAqMP1CkLt8NFh80RJBm6ThLCedhrc6GXaY1nv8bv/Dm/PP/BP7g42LfWuwZMgFtMDOJy6dZriGsDs4NO1n63wPf0bt8h+3u/sLPRnTEgfdROCe2MAeXxnTK6JOtp1+Tl/1+T/WtiR02zIA87vnL+ryyIdfVouFuneip9GGuKpsyKfbjYUp3/h3EGvl+6gvuHMYernJkM8KgfI3u7jtMjYmwVsaNuVMaYOI6xtBZTrTke707L6VHNYtOKbUFpnroIZPzZogub6IAkaT6wQwZGwsO8iJ4dMqB+wIsYl+L0deb9xrhB8TlxDaYZSXwoIMF7i49MYVb714HGjFbN/P2ftrtO7ZkUxF4O2MjH7tmOqBsAqUuoDrvSPbPDuOSXznl+K5e+rauvYgAsOeuCKOoV1WDqC3ZLc6QpdNrd+fHuGHrcYakXYUD7wQ5LswgD0vdalGEkMH586biNOZjXPWRyPxlEhFjYsy9/rfNK/Y7k/R2pqWiQh7lc6tC26cSQvh75smM22OBHo4K9vFr/1OIBjhz3vnAHszfyaxXu+lVq8b76f1e8iWufvIz7esEF0rrRshxhtGRrKpog2ddrCFgRHRe/SOuB5I/R+Ps6XjRGAxqy3GaKfkmw1t3HQ1hgmLcH87vwmGJXcJCe+2i2wa7CmuChBpnTOnn006UwP7xCUqFfuMTmx5e7aV5EigVbVmo8v6Wd9zHm7lc8b3gGfaxlk+AZT4CZMZYdU1cTfe0BBqk2WOXJjLr9neqdQfJ5x97DSFGOh6lpDlrVX6KebQ+GCTtVtygfUrElE5jXv9m1Vg7IIZX9tScx4vLq86uACFAQTRZFEEHD0VDKMW6fdqMODcdjb58VxXnC8vod1w6GQpfnD3kldfx2H0uBzHFvpY86yMZJljzOhpsc3NbQgoNiXZczyTngpn6NCthK7wQ5N3bPMY2IE13dHq5jqL6Vw3YW44J+hB5fQeaPxVQtpDZ14d58O1i0phOXJahZUfKtXyf7ZUhmppiskGY5RU+/R2alKvTy55+foQ32rYTqUfZI4lEYr3eQhO+rk0wU5KvZFa6pSh1TaHBX7VHWQQroKZ7LNe0Ig4VLdGr1po2iuBg9P+Sr2TYnFhXN2VGgCYcE9U3IcmwCC2yBmKlxf0Clv3AwoTXTw3ZW/0RQL7KlCr1EF4LgUlccN2Bl99LrIeoPfPwI5FaGRvnxJfp3O93n6Mcf0b8jIpW1lx3mQN1M7b9z8z/tF5lGu0IJw18ImdNH6+uKDc0I5nyOyU360qecCmnq1mjgV1gh1jUv4JqMdaWDzZEczAi2DABuYw4cuz72RiprWYutszrsBx0wihBTCC1kJXJ7w3BoyKABEeBuyYu7J2JAOcZboD8Oe56NRlZhyyXOH8s959lBmv0BzSgVIwGvw7vC3S+DL+yu+1oJ22sfm9ailYt62WboV7mxSzP0OZlAUllnzEh0Q2l5QGiP4sb7SoTmGlNk65QNzy9qzQNtqVx/agGd+Dt+4ZopaJl6eb4bexeBEEe3pzsIw83CH/XLc6SsttYQUBn2Fhnt/t9IIlk988klsduPZCRfLslT0FDxt+BXHwANv+nRTBTFvhHQiKK0/6sfYr6Chxc/UqZLzlKjlzxad16zVIWwD0yRPg406q77HU6dvQPqjkB+19Vei79C/mu8MDr1MmgXNMkbPbQAkgpdnb258rYvwcKKhxWlVH2LF8EV+dWlQVSPI/zxyV1V4IiHWt2ioStftT9pHXZn54BnPkMvf36FNiD3gmKBMOfhWEFd/bxAbfwIbaiijiw2iFOsDZKiVy6yK8STm4lftxADZzXFs62X3e9S5SA4yGqiZCUkl8tt/yFuwdTAikXoZ0RWWGFinBApwBdZLlwHd1QJn9PDd2LmoxW1sQu63UN9ykeEfd0WrEdRWCNTivoZQeHNqE4DzdozKzEBi9W9UQgfc5CEVKqmqA0WOVY5ElIVmLM/Qvm9UhVB+eQ+y+FoEd2tF94eIbVcN8y84GxBYcYBB19TIkU+YmC3y51pMwGgfWhCTBBZlJya4AYYDaJiMODHgaa1wcqcaCNf27GD23lsK+/uzNHtV0gRHQk5HyRIPBj0QOQnEvyFyFOI3ZL8Q4oToefUo9cmpkuv/diX8EBFJTvRbxA04/YtyD0cbs1dvi8PLLC+D91s234r8IeTVJRIldM83T3ok2z8NaWbEWsbo860ab7YfV8f3lZKFjOgWkFRviZUYMWkM+uLihv2nWFUIVyWvK5+abFsCizwMlSaixCH553aX3RMOV41YuaJRnIj3MuYwUXZjwx6juuuScPTZzQiK2a9G5lTPUPvKm3ATeoSdehZI3m52NAjF2mvAlssLN9rOoUlBItcD+hk55qmCeI2BLamdc7WLLeWDeyHsCK7rhXZx57wwpO8LZmabIbterq3oFu7E5nhWzdZbZWetdcsU7BB98dGIy76AbTvWp/NBkO26GpVbA1URG/F2cg/9lEBC/JLRavJtpLd3W4Xtfpxg6HtadUF4OqyWQJzsVo9NEKNaBTsCDSBTlsWJsHtuyxS8FpmCVgtsxTWcxlTFe0SjdXqo6WawFbq3CKncSF77mPwjhlcl/e6c45Vm4f02jGPBe0F0UNDiB0IwmRgxMcwrHXFTwSaLytDZEFfOB4a58U3cBnsECy8CHYcyJENQtdUMZMaGnQMfdqP7osAx1qT9kI+Ezduc7d0U+liqcG7k2t13zo+YevWPeaMYap4Wzl9NlNgAZoQI8sHnWGbTrBBvkNdZBIuwuddL73rCUqFfrv2qbFM1wkB/bgajF+v0FiVpC6lZhEVx532FrjTIm/RhZuzO4rCU3GTpYMuuqcqElVBFSP31UXBuU3U+fkOlWzNyXBqyZ3vwdTWVOTQJ/mg3pLzf50AvaZ+2pXD7rRdxtLXgg/EDf2A9zLmNH1KrLpvRjvBejXjo1wr3OQWC2kQbjqphRNouVxmdaLKSZR6vRHvrdSnwEzZ0X1/h3QrQK0ewn43hr/kjGyn6LYzoheugAEPri34dkQvVzxl3nRYgB8qD/4fVqdSGHqb2mJtGLpsWwXU1VV5ru3/waWKec1QCADmwOVMVlgsaSboJrUuGHu4pJvOUz8YIcYoNq8M7WiIYY6+dqxba717/Y00JS5xNGXXSI4POnRMcnLAEeznFzlmuvZbwLmFCjArsBpwULc5X2pN1QxdU7colaZqhpcUoLx9pvtCqpqHAe2ajLPbCfweud93cCukQnMlN/az+q+k7uNo3a5RPOnL/AorEztM1xCOHVHxZ0oOqkOnOlOS520P0kRHSpbUPyimuovfCIQ5VabJLlLtoP5v7nnLq48OCAAkIQUM5hwJKb5TtKTgyezLfpiiL8oujn6oG4qz414w98JWP/8MZuabarS6Hp3DgHOoNhFIiu+W0v73npsAjJQsYDgmnDfuPAa+AAYsk3KBoMM8o3qGrlud0m9s0K2sSsPxmSvnq7R1YlzJqEu2yb36bbqZEF5pU29I/4/BMsFPmLYr6WuifXzDGr7w6bgJNLn1405Y2KN3sEzpjLInhxwvy+U5cIGw1pIwiJfa1Qj6k7Bgb9kNfd1pZAiNC5+jUkFPlOeIGvIkbChjhWM1rD7wiAVDUUOVRiXWgOKlAcjBd5OWRWG1mNx5tB+W1lBD9pp77j44lcXXWcMEF5NT30QWZTU8gwmWDaMNE7nc+Hxa323yeZNJMSqMwTQXFedb9KXC3AU/c1lg5hvxwrzrgbgcubq6Uc9EDewHreGYuKG5rwWqE9GxhuiUd1DsJ980rM1Yvm/h+AAVIqmq63Z2cmGJPgM1e79dn4qv30ofeUXXQ7ie5tGZqoL1GzulDrH6MTtt8vZb2j9GtrQXjKc/482Uf4HRmmOsaF4RiuqXIxoOt7me+lngNk12iVzvtPHv34+dC9DeMKNxAUpu9FGQAzEixn50e9GtsF41J9SahYEqw4qsXOZvXWPTlBme1ZR6EGF2Is0wM62I/VXz72GlKbL6XCAGOXeVIJxiZf8EQHgta76AsO78Whd2Hn59cMqvGuI8Peobi8hi3rTvXexcWL5sVN3j9lozVempI31dawQYGI/4TfNAGjgSZ250h8k4Hil1Htx0jWtdlPny3LfgRk89cEPdm9IV/VrenoXtaheAPlWDfx9+vjzv9ndt1MQwerD7IufSAN0UZm4TWV2wYTrspK71NiWW/e6rri/QdubC3ji2cM73xO2Oz5qB0eX5QUs2VnzugCVrGXsp8tainaEzV5/p8U65+2C/NQsMqt1v/PCND8fNK9NUbkrTXEaV4FQ7yUh3oWwkWmPF8JwPqgAdKAMTqOR4RBFoKnRSfJSdBe2aqm7kmdVU1sKo6wuZXefrF5dXfRsaechYF1EYq8s+sqHgnWsh25cWxyS6FAZds6XAoCxGtmgpVUrw2icD/WU36VVtu0lAdYT/tIx0zjLsslwGNs773z4iJgivcmrVmW9ka38+Q08vbnFRcvoaXbmAiCML2nsWjovAy9zkb5sQnGqvljBnTN9Yk/sIvu5RitcJY773V8MHpm/2PLkaxZZLqtK1sAuL7HP3LcDzANbpSlG9kjy3u8f56iOdRnee3ieILAzf3r1WfvrB2RjPGjCOy/NwGcmdX+eJLMps4rwrWBWfewVtXF18T1fz7yw7UkB96gLazci8ImNemjdLT5Q11uW80ZZSAfKA1es1fyNd4rDKN1idJkNviKpvtSv2F5GdxAg08lOrRDF6h0mNpxw2bq0KmtSPkeK72kBV+7WQ8zWjN7VWFOvoucHaYFPFMpybeBRm/GRuhx18Lm8Ry1+M31/2Zq2m4NBy9GkAfOzOguUifHTreyxx973BJj8f9t075jpjQlax3jg7dSR6Gf1MWU0aM+gwiMj+FJlwamTGnS3xhnOr95CuCKFaLyqOLuz4iMicarslarDfsGfBRE5vIwuAM22OszwfqFtgYHDFVM3EnCp43yywYhwyeAIRPPf+LpYIgxC/s78Nzkwk2Idy7sCFTmQR+9HR0yafs6RKl77o1mmYgci8idAmxNcIT89GigxdmGt4H6dOKHHGV5Pk5WNV7tv2Q8yERjk1mPFAkGEuK9P53cjUJJ88N7OO2OImjw34GL9IDS1Kniyb5w3K6QL7JyCPfFm/4ftsTWsVr6nieAuFXEb6yxU9DZxI+wF43f7XdFFXgbtYvTbMVADMiIITa32DIWDTQ49r1FesTnyH4NicJtBVRBaFPU9pttGZo45YJ9m3VHLNchc/q1HkCqpHE6FySY5/aLx/tOwXxlurkXTz8sKmwW0JSU+n0fX16Gl1/b/k/Mi409HT+99y7h9gwqerZOmAc88hodit/PXVJbocGFRdNpKh1vrqkv0cRCzsaqphl1Ed6fvEw3xuddi4dyoim8s8dcXXoOKub3R4XpDlZcQ8WsVHS3BPBhNUnndCwL502CXQNu8hbMny5ilnJIhXxPYaB2XgEW7+eEZeM++ySnlN1d29rz459Jz6IQqSNW4pqbpRBJf6Naeh8tYahWlf4sYEgZBgVDzfDYg01ZV4jRnHw4cM1ITCEdRXLqhSI50W3Bk6JtYf793NOyuFB4ByD7CDKfl0A82WsxGNyIpsXuX5Nnp8hhVZ1DqgDt1K0+OAzvdGqeJTVExGRDnoldhlupqiIIHpbvaqw1zFVc5MU1nX4qJ5jkKN7dqKDadK2ueF/ZN0WWKxJbiezCs/+3yBnvpaic8Vt7bynHEo4IA8sIvbUmr7zWfou2GgQfRfYW6E3IgdR0hTUgGYxXqX+kinTYInCMH100LP6ir397406S1dYrJFn0bdNc7mCp+iKN8PvCNiJlCBmVgoXNC96RglVtC1Nz1Owo5xeQXDovcyd8nRLSxgJ+sswBQ6YH1BqoAVRCoPaRc37j3doF8rAa7kO5lTjp4ysZ59+xwxSZ6juf0/av8PC8y3munZt+H3RUPKbMHxoHN+bBtq18I/u0IwKMS6QE9u6+ZXcrEXqMHIpJy6v849nzUMgqbKbuQgQ+sirt7tcfb53e9YUfTRJQB/++3nd7+/+XDx7bcu53aNFWaje3Ij1U3MkuWDB+z3esDuC9toEAyL2EaEr9mJi1LSXAeY2Otim8CFWUhFhWYkpgLphJIScFzEj4IE3gdiEc02mA2bEz84OgDY57GJ2uMTu0RdV/NEh8LMc21U7Mp3qNdOFhDr3qXR7tG65iNdkPTYYpe2MdjApPHFJm3di693sSQWbDTQVE81WSD22KkG0YgC0+yX94SV8tF4gvcPXFjmvf3/YThqazK7zn8n2WJ5J0bvGdnL5Ek2R/2Ou48/KSdI2tpZ2Y5f+tQ0Ge11lh3gZD6DsNtg5x5+ma4hq9kU72FQ9LXAjFtZ12AuV15nXJ53a9sAicu6g4YuAxAG41mFdc51Zk3EI+ZzTOI1pFv76qMzWRSV6EeiBtyJ44CbHsrde3pr/k7DNnXDmz7Osn4ob9dY5H+T4VezljeDDTtGMzyYu+HAO8zpSpeMMBktS3QqDx6432Alho8Oj511LYoyk6mU8fX7d1foNxdHbZNSw4x8mTSV4Po/3qIvFVUj2K0VF5mifaTOtMkNnYDoFn2oi86CaV2NlU4iXqRdojJ2GwFLtDwqcHSIqgk8jj2Ybh6/QQPmWBUJVsuSTRBewGXEAuSGaJVH60q7QzMu2tUO6RybvlX4ULpzKsiqwCpWWUlDd1viQfviB78+YTJIp4pCM1tF3wuELuIWUDWEF0uAWkpAVs7/lYBqiaN3wnCIU9G3Fzy6Zyz2heOR2wpqTc/oTIsME2iMEr/8xNLWIqLz3iE8X5brn8StWUW/34nIiFFZrqPirneoW8rHvTzdgfCa4+gaQ2RULJmIWBQ5JJ0iN1pki0xvmCHR9YfIFlxuNC7i5650aQuzTkc9wasLERkTKdUJEyVVxXwbLeF9QLskN2mIrzFPsVdYmZVKGpnFf5IC6uufMog4xqfNk51NLpdZnkLYlnD8/DcisgLfZsbEChvsErY7mtMEl0LBRCKmmUjHdMl1xuc8i/0sukP7+4TEoyODd2jHxkLs0o5d1dul/XNC2q8S0v63hLT/R0Laf05D28iS4zlNoVIa6vHdM5EVFQfje75NcE/WxMubBHZJUXG2LMo01re1MjFfxk5C8pRZCqNE0y8kfmxEZNolJCZYQa1IGm/SEk7jTeqtrsoEvUiJaMqqk7iqRhrretDbBCrESGMds1S0wa1JQrwS7FZgITUlCTbh+pWVSqJLYf1KlmZFcZ4grCaLMiM8QQzbEk7wSAJ01Xxr4odFLWWdhHJZZQneNIhihhHMExQQ6QwvqSDbiFlXXdoC8+0fNJ+n4HudAQxoEsoODiYN1y6xNgn1+bJcv0oTg9bZnJk/JwEaIzqL2yuuR1jJ6KpaJznmQJUSFb/KTbsYf7ReWx3C1KxcnD9+cMQRB7MvCXGHJh8PQa5De8E4TeHD6GyRYhHZImZx9i7hFLaBzlgJSYpZElXHyvVPuTblAMw/Em2tSBLanC1oCjdGQ6C5oDmLVjC6S5uJNLukkHnFqSYyhbQ9cbZMoJtkqTfYRO3536EeyiCPQljRJdNG4fiRkJZ2AotP0TKVqFUyWWtAIleJ9KvLzHdbPAF1oyguEhiSrhQoFdvpjOvNSjKduQ6z8alvscJJNng+Uggbg/La9bePTZdpg0X0Pse5NvNKxWoWWFOlrldQCqpVdF7j29F1TXJsstC5YRG/2fWxSAP7aC5xnsc+AyyP/axaQwcluItYkRElZZEElcgSTuCmsSJLkxzpEY9SiLm8iQ7PVOr4kKWs1KVikYlybJipomefcSZoPIidlqqO2lGnoQvFt/HDWlw61NNswWX067whniDl3/q80bWOJZpA41gfOgGr0XMTuFwm2bpimeQAl1LFVmDFvFqmOGYF0ySFWih0kg2bog+EoAbAlaLTja7DHQB07Iw/RzV2Op7YbGJ7IEkqyqRrAB3dE5XxLSOp2DIL9ON6MN2NoCr+nVVmrilvdLJRO1O3ZF2L1ySbLEHhpu+JE1sZeLKxtUGZuUBSdHax1vbDjKxi1fkPSNPbkkV/CCipKpYKCzPA3I1BeZOEcPyr1yGRffrU6wIagbCSywzrMmLDgC5phWNTVRTzFPadogTk4FBHExGPL2RLOS6Ea4eyVHkCjuMHMnWC2LB2seEE+QCaxk4EcA2PEzgnmn6JvwFCAK3RqCZwpTRbJlC8uowdZdOKpDgHiuTRDWmtSAgVNwJhE6/FVpdmpaOjaq6JiF0oEewW+1CiDqQz9vTN0sTfVo5o/Be9pqdnbLrbMjpaa5XPk+ShV4onuAsrTVWWs9hV70naVtQvQynEYIg2uIgdDV5nTGiDFwksgzVTJoUZvi5FAugmI1UlYoZZQ7BoAUTRN5WR6EMl0GDoJnskYbO8z5izHJ0pmjODzrDKPZqhBvj3MDuuc1ZCKY11CAUy0EQfAb4BkRyFSnWafAgm0knuoii53NJBY8GD8lvIKhqo9x33mJWhixlBvzNFl/QWFbgPtNC+xYpl1W8GkpxJzjQ0Z6hH90sPAEpIV2UplUFD4FGENitsEDOoVHQxthUekJZ7nyYUIcF7r6NhATHhkd1HcKE5E6k78ndYtaN1+dTIyCU1K6pm7ff1SlaDGw0hQddUNe2IjEQlVpqid9Rg6AjuzipuRPD0rVzqF1eu7PUZOvctvp4jswp0KQIw4A/Utz4GtgV6T83vzAiqw+s83NRJhLeAlt3NKYLB3WQ1xYqsZkywIH/Qc3cCfO2e+oReGJAM8YLjSkCv32UFfVxrEPcwgHsPr33PnNLDcTdzakC4ff/iEWffLkQWsabpbsirMCz6SG8NnIqxcMEU3ahHFFLbuO49dKgWfKTjJaDnJmwHDvi5mhqk6JeKarMHtPv4bOX7Y+U7kwHa8rhRncbuR6SavNPdcMo+nhxH8Da283dAaNevgzOP2fv/cH9DO9jlea0UYOzw3gCvIV4S7z23sL1c5lhT5NK1G27Q4FQ1q+R/cRp+RdMKvuFcKgdfHxQjQlgjTSm0O8P7+1UpLDQmE7T3HSBMu6EFmL3tpiGVgg5o+5guqSqYMzemYrod0jXmYGvG6ZIiTteUI6w1Wwq3cG2//vDWB0jmE+pvGH/PTp+fpNOz5awS7EtF+20Scfjwdfg9DjHxuC4otUXDcncgiRSCQm4F2jCzGlMUCAUqQxqLXdGjyovu7VpYcYI+aa4oLpeMYI4sByOuD3BxWu5gqJE2jaeTXbna6jB7nXS2jexltca+4DFnWGcrmdwncE5c465BL5W2qZHVit0WPGE8AOQOjeUW7jTfiIVwitXsDdfSOuI75+0cHsvRr/4XM/RGbJt/Dagb8OW1MAjnMyKLsjJUhdVwkjC+nVg69+yb/lpAj8WdBWHmn9XL73/4s/V9zzvLUUvsmyDbfp9mcV/M7hq4wVuq0L81MTn9wrMBzIVPfez6n/R7XrQ87+z6vetxZPLyId32pN8wxY4zQ+9/+3hh504VdcETiJfmTBNFSyzI1lqV3jzj/VwQBBJ6jj6+e40uhfnx5XN0+f784j9fo0+Xwrz6CT3drLZIUGZWVCGyktq3SpNKUWLgWz+8+l//7dmToESoWSXUcX15gE6dFTjcjkcn3n33PObXbi9e1kyFj3j+uJju6qYDnB8JGHfnCz7Eb88wbb2Tz0yZCnP09s37ILN/SEHTxbKO2xn/Rwo6C8vWsvvVqFCYyGHlCUvwGO/gPeuwxIZu8AlapMPuvkJv8lxBnNbt8hA7zdVLivLYd86HvoVcnr27crfS6PNYgfWErx87QSVnqfq7G11eWVZGol9Whkd2gogiQzv2uAxrSyxz3bWmVRAddnGeM/tlzNsH204v//A9N+EGsC4hHHDpT/j57hYYsNLmWiex6+56pWH03nN4JZVpVPJA6ebwwAYLwMz2sObVE8vezYeJZX2Z1NN6NyZ4QUN+41RRXM8deL5Ya0mYNTld3Ghg4yCrlxUWSzprXCcixYItK0VzNN8CTSpyyBoK65nySOiBQdHoiLUcHHSRAO+AR7T9uyVc0QMAihbS0MxndsfPM4ov2lzoDGcuFT8B6dKoNMQXCbbEIkG1ME9xHFLhn5QJhIrzrI7EpTPL+x68ncesP1o3mHACC/bCrKgS1KCP25I+R5/qa+wtBMB+RFd1AGxwE/w2ZqnVrXomMCZGXOOaaR8Xf44w50Fjomy/CAluWEFi3poqewcyYSTSBi5zJtCny1GFQiBBNpm+iq6yLVFZJmj7ZgkrqmNn9FqyCUpc3I0YOxUd4u0JuHWtFTJOxTJ6p0jg2RofCa3QEQvUmTyYdx5gBCKQTrBAGP0i1QarfNinG6E3S0j2UgjbE38LuXRzajaUirDpGRk18b5v3NJg3n2qc8wggIyHzIjBDJnwea6QllAwY9WSb7ERnuKaYzHFO/4dApR1gkgnRDmY4G7Isn1JWVsPdgkO7O7NE/ulkhJAIVjHw4O724s9VoaRimOFAC8a1Uw8vbh9/VYu5WIR7v5OSWZWNPny7jD70Q7oTmOH7wvLt2X3TWVWVBifLD7Ktq5iIifcLaHHDTnO+idN1SjDsjJETitpP+Q4w9cVIVTrEZ4Befw4cLTjEk+AL2RN3KVUWxQoTBjwNoVy2uGR9ni0Wgke+HQphb1XrN4KGYfND9HAUNqd1ToeHt3IvYmRQy2FmgHOaN7Mx8dhevYwE0gzUwX0J4LiAupVtKe6whrhXJb2djEryhSSG9EumROcwbdSyGIkrxZ6cmjmIOqnNSKscc9EbvWPVLoRAEa/ME7RG8/YbCCGuwR7RTMxdyZHE8ab+Z8kXWFUBNc+ayGuFEJzDAgiZr37AwTh8vWufb1GbEmMJ4TOZcrqgcDk53SF10xWYF0SWZRKFmwkQ5FOzdyFwHMORWQLdLafNybWjdpJyGSfwx2rEwUZ2OEwanOZIxgMjN/wl3p1O7dse95Gt11bZlkJ0y9ni23R51AGnpFj3Po7WUFwHy+poIqRekogEEj066cWMLOCqzbU2w15Zmfkh5k2avzxs57TMbBbJ5vTy/1z8uaFGyvhvIKuaeOEG1ZQbfW6s/YULenoI5JfhWigEAcXAoAHH7gM6o5b6xjs7pNtrR/vNqcfMh2tyemdp+YDxodmOJgbzLhVCHdQBl/v7F4enJ2adO3cQYsyN3V45aJhqU6jQA7o8UaBfL3b8cfDSxartcE0S3Y3/agm1SAxz9gd9Mek2zHm3AabsTHqoQStF6eOXrlTmVVWULOSJ3glwTuRZOTY8F8bXXDAUlIyadRpz6vOB8l9vNYysmdfJoqE/Ofs5++/R0/fnr+5eobOmTZMLCumVzSHUvggL1wuZXJcoH0vYZAtu3B8+GWGL45kjCmZOKq4r/7TrmqIg+bEQEQ+WtPn+xwXAmn/Td1vJ/AHPIXeTLEIwaS3mWKYx0Kn603kA85Zpd0ISCqkWcE4Vk49WbVpzxCBez1cXgXnXLN8SqSRbqb8J7sR6ihiDxezPeTp6izeiH1nHZ41fKVhJ/7rg0TwyWAv+MAN7ZRl5OFQplQpEwMGTzYgaqmWWLA/9mRVi3Rb4a7CPkLS3T01Iu4FU8Fa0kSoP7/Y4eC2cBBfDrtoJ6v5V4q5WRGsKCoVzWXBBA4W3HXU0xU2jAqjD6bHczzlbN/ik07WQT/SMtHGtUfniVVcJVYGwJDaqe5XqxOCHXllcxeNuqA5VdjQPIuWVLZnf1jl80s9YvN4dqXkmuUNeJj/Hi5L7i3Vwcbw4D/2Wtu1acMGTjtJlk80y2ZIj/VntiPTDDYPhczJNXOv56u+4T4CAdcYnTGbgt/X8qS3YDN1ftSphF4GJupsVLBYsUbaSOU0vqVWUINhtCfwrZn91pPw7AuW55xOp+XewXh31XOB5e3ovaP0XN0eY5rpXvnROghDYlu/zj5HJcd2yez9LBWigqhtORblh1TICfzJO2TQqca3/FVqg95hsmJixKXLcSLN8U1f1p8EZPqXilr1Ye0jB3KmZ+htjkv0Gf7h7KNcCld3+s/h5YlWeE2t5cQpVuhLRdUWAQahLqXQtLaowsWpdr4Z/GYafekx8IilrFiNAinc9B0u3zif9ZQmYLXdQB88OOpdOYUuT2kDZv09XkNL74AYWd/QX7xMI1UJEfRj9fPm5nEvzw5GaqTGzlPMvIeZfiEw2jCRy41GuqSELRixnzwP1Qn6PNnhAbHTc/y2OTfoKSDCUkHaawieLp91pIUqAff4W7rEZIs+6V3g2+YFtugX0kbPrrUjTOCwj9z2XVcLWIFaNdhk9kYcSLzBAQhU/+9UmkI5z1B8u9NOb1CPofM68zowY5hhcKP53xwx2Wnyesem6jN8fei91nUXMPVxFNDhbKYJ2DUPBrtr0yZkumUYrFAYkOJw8TOUDcRsCTha4QZTzumCCR+rB+UEqH4FLkdAB4G7owrFEvHWBmB65l9sxdjEbFPP3WMpjWBTNjFsYzBZFRND4LejgsDRwDvqLkeSJi9zJuJ1EIt6NuyUoagw7eUZUFLdsh1YFgej3Zb3B7p2DrhOe/cd4LrEqt5T9s/P26lsVmwApY7s6bC+rEt+v9P0TPSeJQ7WQqptugX/iy6x+OtBxJiakV0U9do8D11NVix/eQHUD8ztZCbRYFY13vr+WY3ugowKo2R5jOrIZTUfBBfutMf9mNbbpgfKEYBHV90x7Tk8k0WJxbY5j3DsoJ2+81fWVNlrKGNiIcNGAdY3qWuEDuiPnhdZc7ahaVHRF19S5Qj8UnG+Rf9RYc4WjOboHOqeXXAwyMqGzjMi5Q070aP773SO3Pit/4z5mDUfHW22fQ4vKwMm95EtTA+f9Q/NEL7Ljg9Hu5j8DH3clm7qbeTACset4PjiKbrIooLJ9ti2PLhAhHqiQ7C1fWamCNU1xuUudy6yWEpVR/vhifnD25El72DlRN5OtSzKtH2I9ojCjnwwcl+zqaRMZInsMmXHseuBSmzCoUkiMqxjvvZ3CCtfTh+ZcqV4xGXuUI24Ko0zmlUqVjSkQ1NTleFlPJ+yJR39etolHTX9cZe03/UJFAu9NVSAaRXfObH0o+3mxtBbKdpLlYltUbkhpqgl3NG5H2FYMK9e+P8+8yy88P/h85pCYX/MqQpn5/npnPD13E2m+3gOEddOq7XBdHLfEM26VEwsqFIj767DeU8yr67hf1D0wfDsBEzWuMSLzjIEjhQ8a8ukRyowxGTb78K929tt9xEyiFX3T/+gwwSt8YafrFxRNU08wtrsPuPp6Rm0fnyGzmD8MGtUmYnAUkbkfEaVb/5Jd7Iw94Dz0qRPxx1BdhbcDvpEd5Ci9640++PYqOT9oVHCq42u2R/haA27SaRTLv9xgQRdSsPcApYrrEc6QGkyNaxQZynd4OPNBe1SJ+sANUhw6e2xGji9rr8JJ6RotpyiomIX36jpevhxtNGy1SZM6yq60QmUIVkqXbTuYW8owCFVKmkMdLAoXe15YQdH1/A4vU87TZIh0SCD+1fkp9eQ2rn/Mupoz+OYvL/23MPjuArVmmfrlDd6/0nVB7KDzOSZ3Xq4ig7TqFMRZjfUe9SJwA2+aduVdC8k0K0/IQ3vdVKhy+s3/3h3ha7sPYV+EyPdV1puE1VSH8Ptx40McwtqiKwoudFHBZHvpoTTYpCFms41eJ0NRBikgfoWhK0W3GPlUsUGoJAnMHIdHw0qyKjTADwbbKrJOnx2uVxjznK3EQNM9BXhZKjW+xQhSOyGbnVfbUfa+XUCaWTaK2NKnTHoQZuENCxlCoEQ/AhOE1uKuvJFKma2B04UkUWRFCfujnw7PnxAKFyCv2GK8r6nGTvEsuFYZFqfquGtHdnp8N/9bOsarSC3rtQ4KyWbIq06xLDjAAEHwFTYGwCxkhUWYgCckRpuyo8KjIy82U4E29xcLL7n4e9v37z3996L3vDNhWKk6sf+o2O2MX2TrSWvUgngTd3HWfg+N01n7LqdbyWY0eipY0I/A7QOKOytO+r2yCNgOjgbXiXSZm89r58EMz5dYLZbdLCmCjIFFhVHRApCS2Md5Wu3hiPwCptNSu3rBG8d9rqFtmW0lMogaeX769/ehFJwg2KPve+kWk6fYNkvMNgJsc6xAzsJAsX8/eK3q8sr9A7fFkzkTVvv8LLauU2ehrnTRHFkWn4ag9ntm1ZjPoVLFqOnZ7sqx2wxXcHmqYvw6yknNzt2gmVeK1+ee5Rez8VeDvl0i3JirIB6xsV/+brhpjBH5ENLMvbphniJdaFPlN3o21WDF9886hauuPc50lUgRR1r9BdtlBTLv845JjecaUPzv7zwf3vefMrEgpLwRwum6AbzoCGD57zzG4RFjrREI9tS0SXTRm2tZz+lsiixWXmw/oYH1OdhwCQEpaZi0xVCu3otIlUHhbyxJxvOqTBq+6f/GwAA//8elVjt" + return "eJzsfe9zGzey4Pf9K3D5cLZTDp04id+tb99eeSVlo1vb0bNs59XVVk2BmCaJFQYYAxhSzF9/hQZmOORgKIkCKPnd7YetWCQb3Q2g0b/7O3IF69dk9vOfCLHcCnhN/sbn351fkDeMgTHkQgnO1uQdlXQO+k+ElGCY5rXlSr4mf/0TIYTMfiYzDqI0kz+R8F+v8QP3v++IpBW8JhLsSumrCZcW9IwymLi/d18jRC1BrzS38JpY3fQ/sesaXjtEV0qXvb+XMKONsAUu+ZrMqDCw9fEA0/Z/72kFRM2IXUCLGOkQI6sFaMDPrKazGWdkQQ2ZAkiipgb0EsrJgD5t6B2ImWvV1LcnZZepm2URa0nFFnnjq4+tH1tis0hl5lt/37/C+IYNduXjghv3PcINaQyUxCrCaG2bwH9NV6QCY+jc/ZtawlQFxhGt3Oc7oAl5q+bkFJgq8ahGCPGw+C5Sh5LTwoUlSFs40hIDDghn5n5guUGeMyUtSGvc/eDSWCpti4aJ4mh5dQiCJbW7Hwyx4x4ntwShlqwWnC0IJQaM4UqSBbeGUPIe7O/cSievwu5PBkejI9YsVCNKImEJmkyhO3c11QbIO7DUoUbJTKuqt9TTt2puXlxQdgXWPBuAP+UamBXr58QGvCn5AF5Y+BMue2hOoowUsARxACeFkrv3c4uTp1BrYNQGTEqYcQklUVIgWpZOBZCK1nGsKjMvkl2YPXv8Ltzz89MfyJKKJtx4XoK0fMbD6YRryiwRau73Sw82AqnjDnw4Lfg9tx011ZazRlCNvw8bOxk9GQPQB52U2MkYQB4/KaNbsjzunrz8/3uyf0/cqnk25H7XV03/VSAhu9vyaLBb0kOEXnbUNBjVaJbp7b0/23Ld//thZiy1UIG0jxE52pTcFkzQnTv8SNADafX6MSK2cDrVY0SMy8MQy6sxtZLj8Z60Eugh0iMv22YAZUobakSvidmZvS+2bgGHzUAPGSgJ97MidvSQAfQbrIhxLu64Vo7ERdnzqkTZ59k1IDMR+0iEg3dmHzuGWt1I/qWBjRqtO/rDn9bbRu2Jksw9DtSqx27ZjoibJc8rDvvcPXHL8BlntH+f36o5OVuCtOQShTNpZAnamSAagqAakD7j11ASA9YB2frx9hpm3GBpN2EA+94GS7cJA9B32pShJzC9f+mwgzmg6w48uRsPFspk0lf75/JXZWxfRIrdE2lAllzO2w9N7Nj0fEhfD3/5IQds8KNRxp5fLH8itCy1k5Vj132XuQPqrfpambt8lZu9r/7fZa/jVn7ZsCsXvCOt7y0rCSVzvgTZOcm+XkXAsegw/0VeC6R8jMrf1xHRGHVoqHpdaPiSYa/7wUPcYKR7ukYun/mlyQVepOfBm20p+biugTA6lCBTIMDtAjT5dC7tD6+I0uQXoaj98SWZUoOnqA2Qzfi80aj63UD3IeruV0w3hkHzGZ8J/Avu13OVy822zzpuV/7qHQxKr6gusyl1PYnWI7vPyfOLz1v6HiUaBN3dUkLM2liowiMa0HbQFuBPqvHMc/9Wms+5pKL9zba2cgMfculfexIjzi8+v4qwIKA/4MT9WdBhNORyitdnc1CHiuOhr88CaAn6KLHrX3Epcn56nyipx7cfLEUwh8VKH7WTTbAiu5+NtorW+UbRwoviTJcTJQQwq/TXKIAd9x4g58adOW4I86yD0mG6pai+VbtqC9nD6Edo8VVs+lhU1UoZTHarlCTT9WDTCNHwpQFjHUDDq1qswz65LztBT4CyBTG8BPL0e2IXuiEvf/75GVlRQwyA7FbZw4lHobzeghOmVtJAPlawr+ZUMNVI2/kUmmrqhZ67yiYKgTylU7WEHjO4jGZWtuLNWA20Gr0/7Ks5Ng/MKih5s6unpWDUNzHNsXMs8Bnh9p/Ny+9/+LPxIv1FjQK0RfqfA2r+6ezBt3QNmrwkZ5LR2jTCR1acSXknuR6Dfs/gRyS3MrbKjy/Jvztyn5MffyT/TpjSTl9GKsKiz8l/F/Z/ui9yQ7aZ8k10C6Uq4dHaunIFBaNCTCm7yqsBe+SksnhtqPV2hWMiyLJWXFo0TSzEE5zxcBSgtcqUn7bRB00NjFOBGCOmxirtNGu59lqH+2BJBS/9wYghRchMNbJ0L4wARJ7LeVCObkxe3L4RA8gpYoHhOuwJG43swlooWj6Wdy6gQwz/A0gFVnMWsTqCKdz/MtrC/rlvhbB79qndaLRq1m7bhPyqVm5rhjYnl0RpZ4xZRa4A6huY9ihevK+EaVoxMKZY8rIoc0Vdz1rJMwcJmlq85KXjYM8uXHJtGyqc0b7le5cRFwevuDO7MVaOzPBUhKt+fkq0k9YGHSrINKrnYLuv3cgJozMlPT04J3wm3H5O6CyhoKHgPz9tfa8foFIWyGU470wDPrTT9ZigdP9rAzFfQeAlrFSYWvCcmQ2P2pw3fKD2PwrdzMncjOcdb517A8JZb09da7WEJ+S/RoTRi5cZFw8Qo3erOuPo4uTNRdB9GZWOPbyqld7VeAk+kV9dGkTzONwfn/xThYY4mu4xV+q2Kd9sfrIx2L2eg5b5hLz8+RVZId8roJJQIeK+AnTqo5q08R+RFWjwYKklAqixRMmdcpFtJj64mvh1MzFyV3OEbQPvfle6RMZhVhOwhVRCzde7gbgZ1wMtlpCfCVtQTZn1THSXeo34o9NckkaGnB6x5TMfrahNXdDtA/U5gwh7YpdoUVROyVSyDSNouhqVaShZd9RKylBj9TEKGXwOirFGtxCNpbKkuiRS6YoK/kcsv1fpKsqfMmQ5HMwi1UwHT9KdmLTBukPmheAzQIojBr4BpmQ5omBvtrswNqefZQ9BXDJV1QJs9ACMOlEpKvBW8x0x2Ks30/aBDvKlWzt6nMeO8vbJHD1+lZJ2kWibNvWpqXJeNllO5QMx/kyWOdjuQP6hZO5uC3vEolu9VTF9eu3HXQ4PRFS2G/2GWLi24fKRJWjTK6co9+WBRfb3vodtDTQVmZsyPaZ0CWW+dzAk2YRnynQrtjpGm2nTfbEfXx++VlpVE4TaYFG+YSCp5sqr9VUjLP/OctCE1rVoq182vWwqbOETKc0lRGB4p7UXPVIeV0O4fWKIWkkfGbO0qnc9gwFjt5pDcXj7rCFswZ11o0owE/KuMRbNpD5QdyupHcnLpRYO3KS9Amw2c3gv4RiaEG5yu6DnnYYZaJDMHwjqVOuSL3npNBs8D3FBdtkKso87zIsTeV1zfTQKN/vpY0HX7iRyK9aeWOOEntPXHFJ4QPf7RhNu+qgL57mTxp08mwyW7NLJVJNaAlUDRe6+EDv+p74qqEF+aaA52lFyp9ufoo18XFFDEIly5Nwgcj+kZmpCpWCLoRlk2ryyGV7feZUD17rIgGpd5NCe65SiaBvoy+RQM+hKvVfkYUzIHfMx+sYMnss7vTmHis2b5NohwYLNA7HTDSG1I4iygRKfQrE2jcgddhqxolRjmarghcehM14wK1vNBieEysCCLQNy5IDAEjS3OUtH9hDWrh6KAHuRnX0un7zFi4Pegf6V7ipdHDSMO9XA+IxvDJ+4duuDOWM9VYKunD+bKbIBnYuRl5uCidZFVYYgSxTvYDYfaxM+b1vpfUtQafLbZUiN5aZNCNj1q+H67Q6NVUmaWhmeUHDc6myhOS1L32EKU/nbuzvahacRtsjXuuiOokg2FWjO7iqLorQdoYptD2H9SrbuZnix5O/3gLQlyFLpkDC7lzI1/dcDdK9pQ7tq+i9gcTvaIZa/FnzAbidB9yPmJX3OXnXfDC9kqPoPYiZ4uRa0yy2WyhJKFqHjRTyBVqh50SaqPIhQbw/inYX6MXqmbMm+v2O6FXatRvERV/yxVXfu27NHLoRe4b65thTrEbnciJx503EGfmgEIGJxcaqkhevcGmuH0Ln0/rpNP1Ralsb9Hz6qVLQIxRrA3PA4swWVcygkrHLLgrHAJax6oX5UQqzVfNpY6EmIYY6+8ag7bb3//MVFh6lpMmHXcU7wbG0r9zENDcHd/CKPTF9/ixi3WAHmGNY2HDSbnC+9BD0hl+A3pTGgJ3QO2Mo7ZLrPlG5xGMBuwXi9neHvif99r2+F0mSq1cp91v416Jre7BrtJ31eXlBtU7vpOsCpPSrhTqlBdeix7pQSZac25rpSqoYQUMz1Fr+RhArQtssu0ptFw998eCuIj14TAExCiijMJZFKfqehBrRk9mU/oNlwzCeHNVq7C9PZK7iTqMe94D7C1oZ/BpStuF0EZdnLenKKC06x2kQSJb+bK/ffe14CVFKKiOKYkW7aCwa+QAQckmpGnHSwHMyEXG5kyu5gg35lVR6MT3w5X2OcEeNLRn2yTRnEb2A8JUw0xrYHMvxjsE34E27cToaa6ODfcIovfjquAh1d+/E3LG7R+7ZM+ZSyJzcZXg7LU8SCUGMU4+gvdbsRtSdxw97yK3hNKKkXa8MZFaTk5uo5qTXORHlOwLIncUWZanpI7eUdH3pfZ6NpBRa0ITU12MXLYCMH34uAqapyUkxtBe2HpTVg2V51z78HD6Xx9fYww8PkxTdTVd0M72CGbaNkxWWpViGflinJoLbPu0yKUWYMyJw1QqzJl4YK7/wsVUW5DFJD9hYSauTp6ns9U6lLe0h3KuFbLq+gDLVAbSI6NeidCgaK++SbDrUJL/dtnBh0hcgq6vqTnbxbYheBFr3fLh8Kr9/q4Hkll8N2PV3QGXTFdwc75XaxhjURW3/+92vaPybWtGdc5L/jHcm/4GrdNdZQNgxIGzmCuLvNgOZUFJHXNNsjcolLtmrz7vvYewDdCzPqFwB2ZQ5qOZDCYxxWdw/dgppFd0OdWhipMmzYwmf+tjU2XZnhSQtpp0WYI6RbZmI0c7/q/j2sNCVOnkvCMeeukUwA1e5P2Ahvg1ooIAzeTt0Wdt4cffDCrxn2eXrULxZT1ZTLrm92/8EKZaP6Dq/XkuvGHNvT19dGEIFxj99xAqSRK3HiV/c9Gcc9pd6Cy+4a79jnvcznp+S9lzRPQ+MG4qfthaJfh9uzuF7tHdAP4cvvuZ/PT5GloeStExND78F2RM6nAXoSJv4QOVmw4iZupC7NOmcv++2obijQ9urCXj+29Mb3EU+NY/1JtzA5P71Rk03ln7tBk3WIvZTlRqOdkBNfnxn6nQr/wX5tFhHU29/44Zvgjps2tqvcVLZ7jBopwHjOKP+grBRZUs3pVAyqAH1TBi5JLeiIIDAgTdb+KFsb2ldV/coTJ6mchtHWF3K3z5cvzi92dWgSWsZ6j8JYXfaBAwVvXQu5ibR4JMm5tOSSzyVFYTFyRGulczavfTKQX+6QXrS6m8KujvifDpHeXcZTVqrIwXn/20fCJRNNCU6chUG27ucT8vTsmla1gNfkwjtEPFiU3pO4XwQjc0ePbaJzavO0xDHj5sqp3AfgdYdSvJ4b8314Gj5wc7Un5Go1n89B5xthF2fZ534sIOCA2ulCg1koUbrT4231kUmjW6H3I3gWhrH3IJWffvA6xrOuGcf5abyM5NbReaaqujhy3hXuSsi9wjGu3r9nmul3Dh0lsT51huNmVNmwMSstqKUPlDXWx7yTlkpj5wEn11v8RqbEUV2uqH6YDL1hV30nXWl4iBwRI62RnzohSsk7ytp+ynHl1omgo9oxSn7XKqh6vxTytmbyodYaqEmeG2wstU0qxbnzR1EuHszscItP1TXh5Yvx98u9rM0xMHQYfRo0PvZ3wWERv7rtO5Z5+t7gkJ8O5+4d8pxxqZpUMc5eHYmZJ79TTpKmdDoMPLI/JQacuzPj1pF4I4STe8Q0jIExs0aQM7c+YaoE445E2+w3bllwWcJ1YgYIbuxhmuc9ZQsujKaYbpGYgsb4ZkU1F5jBE/Hg+fi7nBOKTPzO/TZKmcxwDtXUNxd6II04rE6edvmcNWhTh6JbL2EGLAsqwiYhvu3w9GykyNC7uYbvce6EEq98dUlewVflv+0+pFwaUoKlXEScDFPV2N7vRkhT4ui5ma3HlnZ5bIjH+ENqoapFtmyeN6SEGQ0hoND5so3hh2xNpxUvQQu6xkIuq8LjSp5GbqT7AK3u8GuYtVXg3ldvLLcNNmYkUcI2tsGwYdN9r2vSKFbPv8NoakwzyCqmqsrdpzzH6MRDJ7yX7FtrteSl95+1XeQqMKOJUKVihwca7+4t+4WLjdbI+nl5cdXgusakp4eR9e3qeWX9v9T0QL/TweT9bzUNAZj47ap5vsa5p5hQ7Hf+8uKcnA8Uqj4a2brWhuqS/RgkLOzqqmHnSQ3pu/jDQm51XLn3IqKYqjJ3xdeg4m5X6Qi4EIfLiHq0SN8twYcMjlB53nMBh9Jhn0DbxUP4nJddKGfEiVelthoHZeAJXv50Sl5Hd93kfKba6d4Xn3z3nDYQhcka18CavhfBp35NIVbe2nZh2pe4cQRHSNQrXm47RLrqSrqkXNBhIIN0rnCC9ZUz0Hpk0oK/Q4f4+tPF3YKxUoUGUD4AOyAppBsYPp+MSEReFdOmLNfJ/TO8KpLWAfXgNgYOa3S+10uVHqLmKmGXg50Su8I0xyhI4Kafvep7rtKm5LarrNv0RQsYxQbbbSo2vCjZhBf2E+mzxFJzcHk0q/zk8xl5GmolPjfC6cpTLrCAA/PAzq5rZdw3n5Hvho4GuRuFuZJqJbcMIQOswWYWy23oI5M2GT2CC243LfSkrXJ/H0qT3sKcsjX5NGquCT7V9CGK8sPCWyzmklSUy5mmFexNx6ipxqm9+fskbCmXF7gsea9Knxy9aQvYyzqLIEVu0L4wVcAxIpeFtN037j2syK+NRFPynSpBkKdcLiffPidcsedk6v4P3P9RScXacDP5Nh5ftKwuZoIOJuen1qG2NfyTC4KLoq8L5eS6HX6lZnsbNViVFVP/12nAs22DYEC7gxxFaFmllbs7mH1+9zvVQD76BOBvv/387vc3H86+/dbn3C6ppnz0TK6UvkpZsnzjBfu9XbAfYRt1glGZWokINTtpu5R0zwFl7rlYZzBhZkqDNJylFCA9V1IGjKv0XpBIfCAV0GJF+XA48b29A9j7PDVQd31Sl6ibZprpUthpaaxOXfmO9drZHGL9tzTZO9rWfORzkh5a7LIZDDZQaUKxyabuJdS7OBAzPupoaknN5og9lNRoN6IImbvlPXGhfHA/wbs7LhzyQf//MFx1ozL7yX8PcsTKno8+ILIXyQc5HG0cdx9+Sh0haWtrZ3t26VPbZbS3WXbYJ/MZut0GJ/fmyHTbspofIx6GRV8zyoXjddvM5SLIjPPTfm0bduJy5qCFeaSFwXhWYZtzXTgV8QB6Dkm8xnTrUH10oqqqkbueqAF28rDGTffF7j1c279DXKfucDOHadb3xe2SyvJvKh412+BmqeWHSIZ7YzdceAs505iaM66SZYkey4JH7FdUy2HQ4bGjbmRVFyqXML58/+6C/Ob9qJuk1DgiX46aSnD5H2/Jlwb0SO/WRshCw26nzrzJDT2H6Jp8aIvOomldnZbOEj6kfaAq9RgBB7Q+yHF0E1QbCY7dG26ZfkADFVRXGXbLgc3gXqB1wgLkDmhTJptKuwUzbberLdAltbta4X3hTkGyRUV1qrKSDu66poPxxfeOPlE2SKdKArNYJD8LDGZpC6g6wLM5tlrKAFZN/5UBak2TT8LwHaeSHy8Muhc89YMTOrdV4FTP5EjLgjIcjJK+/MTBNjKh8d4DPJ3Xy5/ktV0kf9+ZLJjVRWmS9l3vQXeQD4s83QLwUtDkEkMWIOdcJiyKHILOkRsti1lhVtyy5PJDFjOhVoZW6XNX+rClXeaDniHqwmTBZU5xwmUNupqukyW8D2DX7CoP8CUVOc4Kr4taK6uK9CEphL78qUCPY3rYItvdFGpelDmY7QCnz39jsqjodWFtKrfBNmB3ogVkeBQqLjMhzWU+pGthCjEVReqw6Bbs7zMCT94ZvAc7dS/EPuzUVb192D9nhP0qI+x/ywj7f2SE/ec8sK2qBZ1CDpHSQU9vnsmiagQq39N1hneyBV5fZdBLqkbweVXn0b6dlknFPHUSUoDMcyglBr6w9L4RWRifkJhhB41meaxJBziPNWnWpqkzzCJlsiurzmKqWmWd6QHXGUSIVdYZZrlgo1mTBXgj+bWkUhlgGQ7h8pXjSqZHYflK1XYBtMzgVlNVXTCRwYftAGcIkiBcPV3b9G5RB9lkgVw3RYaYBtPcckZFhgIiU9A5SLZOmHXVhy2pWP8B5TQH3ssC24BmgezbweTB2ifWZoE+ndfLV3l80KaYcvvnLI3GmCnSzorbAaxVclFtslxzhApMp69yM97Hn2zWVg8w2IX386d3jnjgqPZlAe67yafrINeDPeMCctgwppjl2EQ+S1mcvQ04h25gCl5jkmKRRdTxevlTaWw9aOafCLbRLAtswWeQw4wx6GiuoOTJCka3YXOZ55RUqmwEGKZycDsA5/MMsknVZkVt0pn/PeixDPIkgDXMubGapveEbGBn0Pg01LlYrbPx2mAncp1JvvrMfH/EM0C3GmiVQZH0pUC50M6nXK8WipvCT5hND31NNc1ywMuRQtgUkJd+vn1quNxYKpPPOS6NnTY61bDAFir4WUE5oDbJcU2vR7c1yanB4uSGWfph14d2GtgHc07LMvUd4GXqsGrbOijDW8SrgmmlqixdiRzgDGYar4o8yZGh41EONtdXydsz1SZ9y1Jem1rzxEAFtdw2ybPPBJeQrsXOBqpJOlGng4vFt+ndWkL5rqfFTKjkz3kHPEPKv7N5k0sdBzSDxHE2dAZUk+cmCDXPcnTlPMsFrpVOLcCqaTPPcc0qblgOsVCZLAc2xxwICRabKyWHm1yG+wbQqTP+PNTU6XhytUptgWSpKFN+AHRyS1Sl14yU5vMiMo/r3nBXEnT6N6su/FDe5GCTTqbegPUjXrMcsgyFm2EmTmphEMCmlgZ14R1JydGlxrgPC7ZIVec/AA3XNU8eCKhBV3NNpR303E0BeZUFcPqn13ci+/RpZwpoAsBazQtq6oQDA/qgNU0NVQMVOfQ7DQz54LuOZgKenskOctoWrj3ISpcZME7vyDQZfMPG+4Yz5AMYSJ0I4AceZzBODHxJfwBiDVqTQc1gShk+zyB4TZ3ay2Y0y3EPNCuTK9JGs1hX3ASAbboRW32YjUneVXPJZOpCiei02PsC9U06U5Nv5zb9sfJA00f0upmeqeGu6+TdWptymiUPvdEiw1vYGNBFyVNXvWcZW9FGhnKwwTJjaZXaG7wsuDSWzjJoBkuubQ41fFnLDK2brNKNTOlmjbVFi3QUfdNYRT40kgyW7rJHMg7L+0wFL8mJhpJbckJ1GboZGmz/HkfHT87KyKWxCaEIBofoE+xvwJQgsVKdLh+Cy3ycO6tqodYwGCx4I/9mqknW1PuWZ8zx0PuMcN6Zhjlck4ruNlrYxGLlvNkdBpIdScENDmdoVw9bjw2UiGnqWmlLho1HCVktqCXcklrDbOwo3CMt9y5DKGKMD1ZHhwLhMnR2H+kLLbjMPZG/h6pbrY+nIVbNwS5ATzbfNwvVDF40QiQsQXfjiKwiNdUGyDuwFCeC+7tKOxY8favm5sWFL3t9Rk7DiK/nxC4iU4qwGfAHCKOPEW1J3oP9nVsJJr7Pw0OdhXkzHNnd3SJc3BNrgGq2mHDJo/jhzN0j9NfeEZ84CwOTIV4I2kic9TtvcI5r28Q93sB9p1/7Hpryt+PuaOqacIf5xSPGvtuIImFN0+06r+Ky5CNcW7wVY+6CY0yjHhFIm8F173FCtRQjEy+xe27GceDYP9eAJRq+NGDsnqbdh2cr371XvlcZcCyPX9VL7F2PVJd3uu1O2YeTxwhjY1t/xw7t5nWU8pSz/2+eb+gWOz9thQKuHT8baDWkS+K94xF2j8uUGiA+XbvDhgxuVbdL4RcPg6/sRsF3mCvt29dH2UgINcQA4Lgzun9elabSUHaE8b6DDtN+aYlq7+bQsEbjBLR9SNegK+7VjWMhvVnSD+bgSy5gDkTAEgShxvC59Bu3mdcfP/rYkvkB5Teuv+ekTx9k0rPDrJH8SwO7YxJp/PL18D2sY+JhU1BajYaX/kIyJSVgbgVZcbsYExSERCpDOo1dw0HlRXc2LRw7UZ50T5RQc86oIA6DEdMHsXhY7HCpkTGND8e7erE2cfR66WwrtZPVmvqBp4JTUyxUdpvAG3GduYazVDZDjZxU7I/gifcDIP7SOGzxTQuDWJgAqidvhFHOEN+6b6cYLCe/hl9MyBu57v41gG7RljfSElpOmKrqxoKOi+EsbnxHWD7z7JvdvcAZi1sbwu0/m5ff//BnZ/ue9raj5dg3UbTDOS3SRsxu67iha9Dk3zqfnHkR0EDk4rc+df1P/jMvNzhvnfq9+3Fg8vJNsu3J7sAUt86EvP/t45mjHTR45wn6S0tumIaaSrZ2WmVQz8RuLghBDj0nH9+9JufS/vjyOTl/f3r2n6/Jp3NpX/1Enq4WayKB2wVowhbKhFFpSmtgFr/1w6v/9d+ePYlyBOwio4zb5QfK1ElF4+N4TObTd8drfunP4nmLVPyKl48L6b5sugHzAxvG3fqBj+G7o5hurJPPXNuGCvL2zfsosn8oCfl8WYedjP+jJEzivHXofjUiFAm5WXjiFjzGN3jPPsyphRV9gBHpeLovyJuy1Oin9ac8hk739LKqPjTOed9YyPnJuwv/Ko2Gxypqjhj92HIqeU01vN3k/MKhMuL9cjw8cBJEEh66tcd52GpihZ+udVwB0UOXliV3X6ZiE7DtzfKPv3NHPADOJMQLrsINP90+AgNUNrnWWfS62z5plLwPGF4obTuRPBC6JQbYcAO4Xd8sec2Ree/p4XLePiYtWe/GGC8hZjcey4sbsEPLlxqjGHcqp/cbDXQc4uSypnIOk850YkrO+LzRUJLpGmGCLDFrKC5n6gNbDwyKRke05eiiswz9DkRC3b9fwpXcAaChUhaKkNmdPs8oPWtLaQpa+FT8DKBrq/MAn2U4ErMM1cIix3XI1f+kzsBUWhatJy6fWr5rwTs6Jrur9Z0JD6DBntkFaAmWfFzX8Jx8ap+xt+gA+5FctA6wwUvw25im1o7qOYIyMWIat0gHv/hzQoWIKhP15ouY4EY1JuYtQbs3kEuriLH4mHNJPp2PChSGCbLZ5FVyke2AqjrD2DcHWINJndHrwGYocfEvYupUdPS3Z8DWj1YoBMh58kmRiLNTPjJqoSMaqFd5qOgFYCRhmE4wI5T8ovSK6nI4p5uQN3NM9tKEuht/jbl0U7ArABlXPRN3TbxrjFtZKvqhOo8MwZbxmBkxoJDLkOeKaQkVt04shREbcRKXgspjxPFv4aBsE0R6LsoBgdsuy00kZeks2DkasNsvT+pIJTDsQrBM1w/udhF7qi1njaCaYL9o0iLx9Oz69Vs1V7NZfPo7sMIuIPv2biH70S3ob2MP7zOHt0P3TWMXIG1IFh9F2zQpOyfcLqHHLzmO+icDehRh1VimjsvpsOQ4wpcNY2DMCM7Yefyw5miHJZ4gXsSpuHOl1yRSmDDA7RjCaQtH2MHRSSUM8JlaSfeuOLkVUw67H5KBorRN1TJdP7qRd5MS37UUawYEh7KjJ/hhdvRhLonhtonIT4LFBRBEdIC6oIbQUtXudbEL4JqoldxsmWecpddKqmokrxZnchjuW9QfV4lwyj2XpZM/SpuOAZT8wgWQNwGxyYANt3H2yo4wfydHE8Y7+h8kXWGUBZchayEtF2I0RhiRst79Hozw+XqXoV4jNSfGE0KnKmf1QIT4KSzokqsGtUumqlqrio9kKMKxkTuTdCqwiGxGTvbjxuWyEzsZkdzFcEvrJFEEtjBMOlzmAAQj63f45d7d3iu7uW+jx25TZtlIu1vOllqjL7EMvGCHmPW30oLwPZ6DBM1ZSxIyBBP9dlMLuF3gUxub7UYCshP2w8RYPR78bGk6pO3Wg9H0cj9NQb3wa2WkK2qadka45RUYJ9e9tqehhtEgUtiFZE0hbtwIbDx4z23Qtzxah/TufrCj9ePtaPqhMMmGnN6atOAwvonCAW1I8UYg3EIYfL3UvbyROn3UvfMXLQlt+uadS9ZL9TgC5AY53gmQr/c4/njzlqUabXCcLbudfNRHlSAp79gt5MdRj2NK2gaHsVPqsQRtx0+dvHKnsYuiArtQDxAloVueZOLRCF8b3XDspaRVVq/TnqjOByWCv9YhsudcZvKE/Ofk5++/J0/fnr65eEZOubFczhtuFlBiKXwUF6HmKntfoH2RMMyWnXk8wjbjF0cyxrTK7FXcV//pdjWGQXdj0COfbOjzXa4Lw7T/ru635/hDnGIxUypjbdI3mWJUpOpOt0PIB1ryxvgViNLE8IoLqr14cmLT3SGG73q8vArvueHlMTuN9DPlP7mD0HoRd/pibi55vjqLN3LfXcewRqg07Pl/g5MIPxmcheC4gV5ZRhl3ZSqdMzFgELJBVis9p5L/sSerWuY7Crdl9gGc7p+pEXbPuI7Wkmbq+vOLWw5fC9/iy/cu2spq/hWosAtGNZBaQ6kqLmm04K4nni6o5SCtuTE9XtBjUvuWPiixvvUj1JkOrrs6T5zgqqm22AxpQ+p+sXrEZkdB2NxGos6gBE0tlEWypLI958MJn1/aFbvg2YVWS152zcPC92hdi6CpDg5GaP7jnrVtnTau4GyI5OWRqOyWDL3+7HqEzOjwUMycXHIfPV/sKu4jLeA6pTPlUPC7ap5wjTpT70e9Suh5hFCvo6LGSg0xVmkv8R20CizF1Z7gtybuW0/i1Fe8LAUcT8q9w/VuK+ci29uTewfJuXY8xnHIvQir9ToMyXUbnX1OakHdlrn3WWkCkul1Peblx1TII9iTt8ig051t+asylryjbMHliElX0kyS45tdXn+SmOlfa3Diw+lHvsmZmZC3Ja3JZ/yH149KJX3d6T+HjydZ0CU4zUkA1eRLA3pNsAehqZU00GpU8eJUR2+BvzmOvAw98JiDrHnbBVJ68n1fvnE8W5KOgOrmAH0IzVFviylOecrrMNs9421r6a0mRs42DA8vN0Q3UkbtWPO8e3l85Nm3kRqpsQsQi2Bh5t8ISlZclmpliKmB8Rln7pPnsTrBkCc7vCCOPI/vJueGPMWOsCDZ5hnC0OWzHrdII/Edfwtzytbkk9lufNtFYKvdQtrk2bVuhSMY7COvfd/UQlSwVg0PmXsRBxzv+gBEqv+3Kk2xnGfIvm2y8yvUY915vXodoRgpjB608JsDiD1OXu8YqSHDN7jeW1l3hqSPdwEdUnMch10XMNjem01Cpt+GwQ7FG1LcXPyMZQMpRwKOVrghySXMuAy+ehRO2NWvovVI00HE7qBCsUy4bRwwO+pfasHY+Wxz0x56KY30pux82NZStqiO3AJ/syoynAyso/52ZBnyMuUy3QSxpHfDkYxFhXkfz4iQ6pft4Lb4Ntqb8v7I1M4B1nnfvhuwrqluz5T78/MNKasFH7RSJ+52OFvWJ7/fijybfGaJb2uh9Drfhv/F1FT+9caOMS0i213UW/U89jQ5tvzlBUK/gbYHU4kGVLX91vdTNXoKCpBWq/oQ0VGqZjpwLtzqjIc1nbUNN5QjII6+uuO49/BEVTWV6+4+4rXDcfreXlmCds9QweVMxZUCaq5y1wjdID92rMgWsxXk7Yo++5IrR+CXRog1+Y+GCj7jUJJTrHv2zsEoKiuYFkypK/5AQfffYUr8+hv7mYoxbT55t9lNOLxuLKrcB44wvfmuf+iWCFN2gjva++Qn5OO69qRvPAeOOX4HxzdPw6xI2kx2B22Hg3dE6Ccm1rZ2F5ljuOo65XIbO+9ZrJVuvf0YYv7wdmTLe71yEh+nlhd13jlEe1jhVr7Rc9+iqZXKpIlsI+XWcftBamrjrkkmC2pSRvt7gHUop08MudEi4Tb3oCbclc4YLRqdyhvSg2lAF3SezqbcgE7+PG2DTpr+uA06nPoMggWuLUhUrdIbJw5+stPcKXoLDTupMqk1Kr/EMWoJt2TuR1wW1asX4b9PAgovwn+EvKaY258K0PHsvEDOA0bPPTH94Dl6XHuj1gbklGEgmjOpuJyB1iNx1yHdR6Grr/jfyPqoe/YISLZ9iWe9bYhcKQxrq6xXKrLE0Y7fmY/bu2P3ETOIdf9P/4Bhgtb4wE9eL0Afxx/hdPaQ8fT0BEc/PiMnuH4cNdD2SM1SRvh8AjoM/4StLMw9zXkha+i4x8jehrtFn5hep+i9O83/ONQreffWKPHdJpf8j7i3hl9lkinn/zgjEubKcr+B9YKakQlQhh27rVBvK/3i48MF3VZnmwA1SHDZOWNt4/S2/iaekGL4/BgVFdv9jbqphx9HBy07acKNaZIrnQgZk6XyeevuF0NBDEHrrD7Qwab0peeZW5xcYnB6n3Q6SoZE1xk8RJGfXmJq5/7HqCc9D0Py7tJzD47jItQYUSxzvui7IdXgyI4iUxbu6NEmeZtGkwswv4JgUWdqbvDNZlxJ/0FC2foTMRivU5qcX775x7sLcuHeKfKbHJm+ssE2UyX1Idh+XKk4tiiG2ALYlTnIiXw7IZy3B1ls6FzXr7NrEYZpoGEE4UYK7tFyQfNBU8gHUHI9Hl1XkFGjAXG21DZHm/DZx3JJBS/9QYwgsSsIj9bVep8gRI5dwdrsiu1EJ79NIE0Me2FtbQqOM2izgMatzMEQRh/BbeJz2Va+KM3t+oYbxVRVZe0Td0u8PR7BIRQvwV9xDWLX0kztYlkJKgtjHmrgrVvZy/DfA7VtjVYUW19qXNSKHyOtOoawx4AgBohU3BpAtrIFlXLQOCN3u6mwKiIyErM9Utvm7mEJMw9/f/vmfXj3Xuws3z0oVuld33/ynm3cXBVLJZpcDHjTznGWYc5NNxm7HefbSG4NeeqRMM+wWwcW9rYTdXfAE0Q6So1oMkmztwHXT5LbkC4w2S46WILGTIFZIwhTkkFtnaF86fdwpL3CapVT+nrGO4O9HaHtEK2VtkQ5/v76tzexFNwo21OfO6Xnx0+w3C0w2HKxTqlvdhJtFPP3s98uzi/IO3pdcVl2Y73j2+poO3oa5tYQxRGyAhkD6vaR1alP8ZLF5OnZvsqxmB2vYPOhi/BbkrOrHVvOsiCVz09Dl96AxV4MxfE25YF7BbQUV//l64a7whxZDjXJ1Lcb/SXOhH6g7MYwrhqt+C6oW/ni3ufENJEUdWrIX4zVSs7/OhWUXQluLJR/eRH+9rz7lMsZsPhHM65hRUVUkaFT0fsNobIkRpGRY6lhzo3Va2fZH1NY1NQuQrP+Dgeyi8MASXRKHQtNXwjt67WY0r0u5J0+2WEO0ur1n/5vAAAA//9X1Lot" } diff --git a/x-pack/filebeat/module/f5/firepass/_meta/fields.yml b/x-pack/filebeat/module/f5/firepass/_meta/fields.yml deleted file mode 100644 index ecf61b431da..00000000000 --- a/x-pack/filebeat/module/f5/firepass/_meta/fields.yml +++ /dev/null @@ -1,2637 +0,0 @@ -- name: network.interface.name - overwrite: true - type: keyword - default_field: false - description: > - Name of the network interface where the traffic has been observed. -- name: rsa - overwrite: true - type: group - default_field: false - fields: - - name: internal - overwrite: true - type: group - fields: - - name: msg - overwrite: true - type: keyword - description: This key is used to capture the raw message that comes into the - Log Decoder - - name: messageid - overwrite: true - type: keyword - - name: event_desc - overwrite: true - type: keyword - - name: message - overwrite: true - type: keyword - description: This key captures the contents of instant messages - - name: time - overwrite: true - type: date - description: This is the time at which a session hits a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness. - - name: level - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: msg_id - overwrite: true - type: keyword - description: This is the Message ID1 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: msg_vid - overwrite: true - type: keyword - description: This is the Message ID2 value that identifies the exact log parser - definition which parses a particular log session. This key should never be - used to parse Meta data from a session (Logs/Packets) Directly, this is a - Reserved key in NetWitness - - name: data - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_server - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_val - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: resource - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: obj_id - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: statement - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: audit_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: entry - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: hcode - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: inode - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: resource_class - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: dead - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: feed_desc - overwrite: true - type: keyword - description: This is used to capture the description of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: feed_name - overwrite: true - type: keyword - description: This is used to capture the name of the feed. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: cid - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Concentrator. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_class - overwrite: true - type: keyword - description: This is the Classification of the Log Event Source under a predefined - fixed set of Event Source Classifications. This key should never be used to - parse Meta data from a session (Logs/Packets) Directly, this is a Reserved - key in NetWitness - - name: device_group - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_host - overwrite: true - type: keyword - description: This is the Hostname of the log Event Source sending the logs to - NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ip - overwrite: true - type: ip - description: This is the IPv4 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_ipv6 - overwrite: true - type: ip - description: This is the IPv6 address of the Log Event Source sending the logs - to NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: device_type - overwrite: true - type: keyword - description: This is the name of the log parser which parsed a given session. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: device_type_id - overwrite: true - type: long - description: Deprecated key defined only in table map. - - name: did - overwrite: true - type: keyword - description: This is the unique identifier used to identify a NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: entropy_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: entropy_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the Meta Type can - be either UInt16 or Float32 based on the configuration - - name: event_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: feed_category - overwrite: true - type: keyword - description: This is used to capture the category of the feed. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: forward_ip - overwrite: true - type: ip - description: This key should be used to capture the IPV4 address of a relay - system which forwarded the events from the original system to NetWitness. - - name: forward_ipv6 - overwrite: true - type: ip - description: This key is used to capture the IPV6 address of a relay system - which forwarded the events from the original system to NetWitness. This key - should never be used to parse Meta data from a session (Logs/Packets) Directly, - this is a Reserved key in NetWitness - - name: header_id - overwrite: true - type: keyword - description: This is the Header ID value that identifies the exact log parser - header definition that parses a particular log session. This key should never - be used to parse Meta data from a session (Logs/Packets) Directly, this is - a Reserved key in NetWitness - - name: lc_cid - overwrite: true - type: keyword - description: This is a unique Identifier of a Log Collector. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: lc_ctime - overwrite: true - type: date - description: This is the time at which a log is collected in a NetWitness Log - Collector. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: mcb_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - request is simply which byte for each side (0 thru 255) was seen the most - - name: mcb_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - response is simply which byte for each side (0 thru 255) was seen the most - - name: mcbc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: mcbc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the most common byte - count is the number of times the most common byte (above) was seen in the - session streams - - name: medium - overwrite: true - type: long - description: "This key is used to identify if it\u2019s a log/packet session\ - \ or Layer 2 Encapsulation Type. This key should never be used to parse Meta\ - \ data from a session (Logs/Packets) Directly, this is a Reserved key in NetWitness.\ - \ 32 = log, 33 = correlation session, < 32 is packet session" - - name: node_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: nwe_callback_id - overwrite: true - type: keyword - description: This key denotes that event is endpoint related - - name: parse_error - overwrite: true - type: keyword - description: This is a special key that stores any Meta key validation error - found while parsing a log session. This key should never be used to parse - Meta data from a session (Logs/Packets) Directly, this is a Reserved key in - NetWitness - - name: payload_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: payload_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, the payload size metrics - are the payload sizes of each session side at the time of parsing. However, - in order to keep - - name: process_vid_dst - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the target process. - - name: process_vid_src - overwrite: true - type: keyword - description: Endpoint generates and uses a unique virtual ID to identify any - similar group of process. This ID represents the source process. - - name: rid - overwrite: true - type: long - description: This is a special ID of the Remote Session created by NetWitness - Decoder. This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: session_split - overwrite: true - type: keyword - description: This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: site - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: size - overwrite: true - type: long - description: This is the size of the session as seen by the NetWitness Decoder. - This key should never be used to parse Meta data from a session (Logs/Packets) - Directly, this is a Reserved key in NetWitness - - name: sourcefile - overwrite: true - type: keyword - description: This is the name of the log file or PCAPs that can be imported - into NetWitness. This key should never be used to parse Meta data from a session - (Logs/Packets) Directly, this is a Reserved key in NetWitness - - name: ubc_req - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: ubc_res - overwrite: true - type: long - description: This key is only used by the Entropy Parser, Unique byte count - is the number of unique bytes seen in each stream. 256 would mean all byte - values of 0 thru 255 were seen at least once - - name: word - overwrite: true - type: keyword - description: This is used by the Word Parsing technology to capture the first - 5 character of every word in an unparsed log - - name: time - overwrite: true - type: group - fields: - - name: event_time - overwrite: true - type: date - description: This key is used to capture the time mentioned in a raw session - that represents the actual time an event occured in a standard normalized - form - - name: duration_time - overwrite: true - type: double - description: This key is used to capture the normalized duration/lifetime in - seconds. - - name: event_time_str - overwrite: true - type: keyword - description: This key is used to capture the incomplete time mentioned in a - session as a string - - name: starttime - overwrite: true - type: date - description: This key is used to capture the Start time mentioned in a session - in a standard form - - name: month - overwrite: true - type: keyword - - name: day - overwrite: true - type: keyword - - name: endtime - overwrite: true - type: date - description: This key is used to capture the End time mentioned in a session - in a standard form - - name: timezone - overwrite: true - type: keyword - description: This key is used to capture the timezone of the Event Time - - name: duration_str - overwrite: true - type: keyword - description: A text string version of the duration - - name: date - overwrite: true - type: keyword - - name: year - overwrite: true - type: keyword - - name: recorded_time - overwrite: true - type: date - description: The event time as recorded by the system the event is collected - from. The usage scenario is a multi-tier application where the management - layer of the system records it's own timestamp at the time of collection from - its child nodes. Must be in timestamp format. - - name: datetime - overwrite: true - type: keyword - - name: effective_time - overwrite: true - type: date - description: This key is the effective time referenced by an individual event - in a Standard Timestamp format - - name: expire_time - overwrite: true - type: date - description: This key is the timestamp that explicitly refers to an expiration. - - name: process_time - overwrite: true - type: keyword - description: Deprecated, use duration.time - - name: hour - overwrite: true - type: keyword - - name: min - overwrite: true - type: keyword - - name: timestamp - overwrite: true - type: keyword - - name: event_queue_time - overwrite: true - type: date - description: This key is the Time that the event was queued. - - name: p_time1 - overwrite: true - type: keyword - - name: tzone - overwrite: true - type: keyword - - name: eventtime - overwrite: true - type: keyword - - name: gmtdate - overwrite: true - type: keyword - - name: gmttime - overwrite: true - type: keyword - - name: p_date - overwrite: true - type: keyword - - name: p_month - overwrite: true - type: keyword - - name: p_time - overwrite: true - type: keyword - - name: p_time2 - overwrite: true - type: keyword - - name: p_year - overwrite: true - type: keyword - - name: expire_time_str - overwrite: true - type: keyword - description: This key is used to capture incomplete timestamp that explicitly - refers to an expiration. - - name: stamp - overwrite: true - type: date - description: Deprecated key defined only in table map. - - name: misc - overwrite: true - type: group - fields: - - name: action - overwrite: true - type: keyword - - name: result - overwrite: true - type: keyword - description: This key is used to capture the outcome/result string value of - an action in a session. - - name: severity - overwrite: true - type: keyword - description: This key is used to capture the severity given the session - - name: event_type - overwrite: true - type: keyword - description: This key captures the event category type as specified by the event - source. - - name: reference_id - overwrite: true - type: keyword - description: This key is used to capture an event id from the session directly - - name: version - overwrite: true - type: keyword - description: This key captures Version of the application or OS which is generating - the event. - - name: disposition - overwrite: true - type: keyword - description: This key captures the The end state of an action. - - name: result_code - overwrite: true - type: keyword - description: This key is used to capture the outcome/result numeric value of - an action in a session - - name: category - overwrite: true - type: keyword - description: This key is used to capture the category of an event given by the - vendor in the session - - name: obj_name - overwrite: true - type: keyword - description: This is used to capture name of object - - name: obj_type - overwrite: true - type: keyword - description: This is used to capture type of object - - name: event_source - overwrite: true - type: keyword - description: "This key captures Source of the event that\u2019s not a hostname" - - name: log_session_id - overwrite: true - type: keyword - description: This key is used to capture a sessionid from the session directly - - name: group - overwrite: true - type: keyword - description: This key captures the Group Name value - - name: policy_name - overwrite: true - type: keyword - description: This key is used to capture the Policy Name only. - - name: rule_name - overwrite: true - type: keyword - description: This key captures the Rule Name - - name: context - overwrite: true - type: keyword - description: This key captures Information which adds additional context to - the event. - - name: change_new - overwrite: true - type: keyword - description: "This key is used to capture the new values of the attribute that\u2019\ - s changing in a session" - - name: space - overwrite: true - type: keyword - - name: client - overwrite: true - type: keyword - description: This key is used to capture only the name of the client application - requesting resources of the server. See the user.agent meta key for capture - of the specific user agent identifier or browser identification string. - - name: msgIdPart1 - overwrite: true - type: keyword - - name: msgIdPart2 - overwrite: true - type: keyword - - name: change_old - overwrite: true - type: keyword - description: "This key is used to capture the old value of the attribute that\u2019\ - s changing in a session" - - name: operation_id - overwrite: true - type: keyword - description: An alert number or operation number. The values should be unique - and non-repeating. - - name: event_state - overwrite: true - type: keyword - description: This key captures the current state of the object/item referenced - within the event. Describing an on-going event. - - name: group_object - overwrite: true - type: keyword - description: This key captures a collection/grouping of entities. Specific usage - - name: node - overwrite: true - type: keyword - description: Common use case is the node name within a cluster. The cluster - name is reflected by the host name. - - name: rule - overwrite: true - type: keyword - description: This key captures the Rule number - - name: device_name - overwrite: true - type: keyword - description: 'This is used to capture name of the Device associated with the - node Like: a physical disk, printer, etc' - - name: param - overwrite: true - type: keyword - description: This key is the parameters passed as part of a command or application, - etc. - - name: change_attrib - overwrite: true - type: keyword - description: "This key is used to capture the name of the attribute that\u2019\ - s changing in a session" - - name: event_computer - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - fully qualified domain name in a windows log. - - name: reference_id1 - overwrite: true - type: keyword - description: This key is for Linked ID to be used as an addition to "reference.id" - - name: event_log - overwrite: true - type: keyword - description: This key captures the Name of the event log - - name: OS - overwrite: true - type: keyword - description: This key captures the Name of the Operating System - - name: terminal - overwrite: true - type: keyword - description: This key captures the Terminal Names only - - name: msgIdPart3 - overwrite: true - type: keyword - - name: filter - overwrite: true - type: keyword - description: This key captures Filter used to reduce result set - - name: serial_number - overwrite: true - type: keyword - description: This key is the Serial number associated with a physical asset. - - name: checksum - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the entity - such as a file or process. Checksum should be used over checksum.src or checksum.dst - when it is unclear whether the entity is a source or target of an action. - - name: event_user - overwrite: true - type: keyword - description: This key is a windows only concept, where this key is used to capture - combination of domain name and username in a windows log. - - name: virusname - overwrite: true - type: keyword - description: This key captures the name of the virus - - name: content_type - overwrite: true - type: keyword - description: This key is used to capture Content Type only. - - name: group_id - overwrite: true - type: keyword - description: This key captures Group ID Number (related to the group name) - - name: policy_id - overwrite: true - type: keyword - description: This key is used to capture the Policy ID only, this should be - a numeric value, use policy.name otherwise - - name: vsys - overwrite: true - type: keyword - description: This key captures Virtual System Name - - name: connection_id - overwrite: true - type: keyword - description: This key captures the Connection ID - - name: reference_id2 - overwrite: true - type: keyword - description: This key is for the 2nd Linked ID. Can be either linked to "reference.id" - or "reference.id1" value but should not be used unless the other two variables - are in play. - - name: sensor - overwrite: true - type: keyword - description: This key captures Name of the sensor. Typically used in IDS/IPS - based devices - - name: sig_id - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID - - name: port_name - overwrite: true - type: keyword - description: 'This key is used for Physical or logical port connection but does - NOT include a network port. (Example: Printer port name).' - - name: rule_group - overwrite: true - type: keyword - description: This key captures the Rule group name - - name: risk_num - overwrite: true - type: double - description: This key captures a Numeric Risk value - - name: trigger_val - overwrite: true - type: keyword - description: This key captures the Value of the trigger or threshold condition. - - name: log_session_id1 - overwrite: true - type: keyword - description: This key is used to capture a Linked (Related) Session ID from - the session directly - - name: comp_version - overwrite: true - type: keyword - description: This key captures the Version level of a sub-component of a product. - - name: content_version - overwrite: true - type: keyword - description: This key captures Version level of a signature or database content. - - name: hardware_id - overwrite: true - type: keyword - description: This key is used to capture unique identifier for a device or system - (NOT a Mac address) - - name: risk - overwrite: true - type: keyword - description: This key captures the non-numeric risk value - - name: event_id - overwrite: true - type: keyword - - name: reason - overwrite: true - type: keyword - - name: status - overwrite: true - type: keyword - - name: mail_id - overwrite: true - type: keyword - description: This key is used to capture the mailbox id/name - - name: rule_uid - overwrite: true - type: keyword - description: This key is the Unique Identifier for a rule. - - name: trigger_desc - overwrite: true - type: keyword - description: This key captures the Description of the trigger or threshold condition. - - name: inout - overwrite: true - type: keyword - - name: p_msgid - overwrite: true - type: keyword - - name: data_type - overwrite: true - type: keyword - - name: msgIdPart4 - overwrite: true - type: keyword - - name: error - overwrite: true - type: keyword - description: This key captures All non successful Error codes or responses - - name: index - overwrite: true - type: keyword - - name: listnum - overwrite: true - type: keyword - description: This key is used to capture listname or listnumber, primarily for - collecting access-list - - name: ntype - overwrite: true - type: keyword - - name: observed_val - overwrite: true - type: keyword - description: This key captures the Value observed (from the perspective of the - device generating the log). - - name: policy_value - overwrite: true - type: keyword - description: This key captures the contents of the policy. This contains details - about the policy - - name: pool_name - overwrite: true - type: keyword - description: This key captures the name of a resource pool - - name: rule_template - overwrite: true - type: keyword - description: A default set of parameters which are overlayed onto a rule (or - rulename) which efffectively constitutes a template - - name: count - overwrite: true - type: keyword - - name: number - overwrite: true - type: keyword - - name: sigcat - overwrite: true - type: keyword - - name: type - overwrite: true - type: keyword - - name: comments - overwrite: true - type: keyword - description: Comment information provided in the log message - - name: doc_number - overwrite: true - type: long - description: This key captures File Identification number - - name: expected_val - overwrite: true - type: keyword - description: This key captures the Value expected (from the perspective of the - device generating the log). - - name: job_num - overwrite: true - type: keyword - description: This key captures the Job Number - - name: spi_dst - overwrite: true - type: keyword - description: Destination SPI Index - - name: spi_src - overwrite: true - type: keyword - description: Source SPI Index - - name: code - overwrite: true - type: keyword - - name: agent_id - overwrite: true - type: keyword - description: This key is used to capture agent id - - name: message_body - overwrite: true - type: keyword - description: This key captures the The contents of the message body. - - name: phone - overwrite: true - type: keyword - - name: sig_id_str - overwrite: true - type: keyword - description: This key captures a string object of the sigid variable. - - name: cmd - overwrite: true - type: keyword - - name: misc - overwrite: true - type: keyword - - name: name - overwrite: true - type: keyword - - name: cpu - overwrite: true - type: long - description: This key is the CPU time used in the execution of the event being - recorded. - - name: event_desc - overwrite: true - type: keyword - description: This key is used to capture a description of an event available - directly or inferred - - name: sig_id1 - overwrite: true - type: long - description: This key captures IDS/IPS Int Signature ID. This must be linked - to the sig.id - - name: im_buddyid - overwrite: true - type: keyword - - name: im_client - overwrite: true - type: keyword - - name: im_userid - overwrite: true - type: keyword - - name: pid - overwrite: true - type: keyword - - name: priority - overwrite: true - type: keyword - - name: context_subject - overwrite: true - type: keyword - description: This key is to be used in an audit context where the subject is - the object being identified - - name: context_target - overwrite: true - type: keyword - - name: cve - overwrite: true - type: keyword - description: This key captures CVE (Common Vulnerabilities and Exposures) - - an identifier for known information security vulnerabilities. - - name: fcatnum - overwrite: true - type: keyword - description: This key captures Filter Category Number. Legacy Usage - - name: library - overwrite: true - type: keyword - description: This key is used to capture library information in mainframe devices - - name: parent_node - overwrite: true - type: keyword - description: This key captures the Parent Node Name. Must be related to node - variable. - - name: risk_info - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: tcp_flags - overwrite: true - type: long - description: This key is captures the TCP flags set in any packet of session - - name: tos - overwrite: true - type: long - description: This key describes the type of service - - name: vm_target - overwrite: true - type: keyword - description: VMWare Target **VMWARE** only varaible. - - name: workspace - overwrite: true - type: keyword - description: This key captures Workspace Description - - name: command - overwrite: true - type: keyword - - name: event_category - overwrite: true - type: keyword - - name: facilityname - overwrite: true - type: keyword - - name: forensic_info - overwrite: true - type: keyword - - name: jobname - overwrite: true - type: keyword - - name: mode - overwrite: true - type: keyword - - name: policy - overwrite: true - type: keyword - - name: policy_waiver - overwrite: true - type: keyword - - name: second - overwrite: true - type: keyword - - name: space1 - overwrite: true - type: keyword - - name: subcategory - overwrite: true - type: keyword - - name: tbdstr2 - overwrite: true - type: keyword - - name: alert_id - overwrite: true - type: keyword - description: Deprecated, New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: checksum_dst - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the the target - entity such as a process or file. - - name: checksum_src - overwrite: true - type: keyword - description: This key is used to capture the checksum or hash of the source - entity such as a file or process. - - name: fresult - overwrite: true - type: long - description: This key captures the Filter Result - - name: payload_dst - overwrite: true - type: keyword - description: This key is used to capture destination payload - - name: payload_src - overwrite: true - type: keyword - description: This key is used to capture source payload - - name: pool_id - overwrite: true - type: keyword - description: This key captures the identifier (typically numeric field) of a - resource pool - - name: process_id_val - overwrite: true - type: keyword - description: This key is a failure key for Process ID when it is not an integer - value - - name: risk_num_comm - overwrite: true - type: double - description: This key captures Risk Number Community - - name: risk_num_next - overwrite: true - type: double - description: This key captures Risk Number NextGen - - name: risk_num_sand - overwrite: true - type: double - description: This key captures Risk Number SandBox - - name: risk_num_static - overwrite: true - type: double - description: This key captures Risk Number Static - - name: risk_suspicious - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: risk_warning - overwrite: true - type: keyword - description: Deprecated, use New Hunting Model (inv.*, ioc, boc, eoc, analysis.*) - - name: snmp_oid - overwrite: true - type: keyword - description: SNMP Object Identifier - - name: sql - overwrite: true - type: keyword - description: This key captures the SQL query - - name: vuln_ref - overwrite: true - type: keyword - description: This key captures the Vulnerability Reference details - - name: acl_id - overwrite: true - type: keyword - - name: acl_op - overwrite: true - type: keyword - - name: acl_pos - overwrite: true - type: keyword - - name: acl_table - overwrite: true - type: keyword - - name: admin - overwrite: true - type: keyword - - name: alarm_id - overwrite: true - type: keyword - - name: alarmname - overwrite: true - type: keyword - - name: app_id - overwrite: true - type: keyword - - name: audit - overwrite: true - type: keyword - - name: audit_object - overwrite: true - type: keyword - - name: auditdata - overwrite: true - type: keyword - - name: benchmark - overwrite: true - type: keyword - - name: bypass - overwrite: true - type: keyword - - name: cache - overwrite: true - type: keyword - - name: cache_hit - overwrite: true - type: keyword - - name: cefversion - overwrite: true - type: keyword - - name: cfg_attr - overwrite: true - type: keyword - - name: cfg_obj - overwrite: true - type: keyword - - name: cfg_path - overwrite: true - type: keyword - - name: changes - overwrite: true - type: keyword - - name: client_ip - overwrite: true - type: keyword - - name: clustermembers - overwrite: true - type: keyword - - name: cn_acttimeout - overwrite: true - type: keyword - - name: cn_asn_src - overwrite: true - type: keyword - - name: cn_bgpv4nxthop - overwrite: true - type: keyword - - name: cn_ctr_dst_code - overwrite: true - type: keyword - - name: cn_dst_tos - overwrite: true - type: keyword - - name: cn_dst_vlan - overwrite: true - type: keyword - - name: cn_engine_id - overwrite: true - type: keyword - - name: cn_engine_type - overwrite: true - type: keyword - - name: cn_f_switch - overwrite: true - type: keyword - - name: cn_flowsampid - overwrite: true - type: keyword - - name: cn_flowsampintv - overwrite: true - type: keyword - - name: cn_flowsampmode - overwrite: true - type: keyword - - name: cn_inacttimeout - overwrite: true - type: keyword - - name: cn_inpermbyts - overwrite: true - type: keyword - - name: cn_inpermpckts - overwrite: true - type: keyword - - name: cn_invalid - overwrite: true - type: keyword - - name: cn_ip_proto_ver - overwrite: true - type: keyword - - name: cn_ipv4_ident - overwrite: true - type: keyword - - name: cn_l_switch - overwrite: true - type: keyword - - name: cn_log_did - overwrite: true - type: keyword - - name: cn_log_rid - overwrite: true - type: keyword - - name: cn_max_ttl - overwrite: true - type: keyword - - name: cn_maxpcktlen - overwrite: true - type: keyword - - name: cn_min_ttl - overwrite: true - type: keyword - - name: cn_minpcktlen - overwrite: true - type: keyword - - name: cn_mpls_lbl_1 - overwrite: true - type: keyword - - name: cn_mpls_lbl_10 - overwrite: true - type: keyword - - name: cn_mpls_lbl_2 - overwrite: true - type: keyword - - name: cn_mpls_lbl_3 - overwrite: true - type: keyword - - name: cn_mpls_lbl_4 - overwrite: true - type: keyword - - name: cn_mpls_lbl_5 - overwrite: true - type: keyword - - name: cn_mpls_lbl_6 - overwrite: true - type: keyword - - name: cn_mpls_lbl_7 - overwrite: true - type: keyword - - name: cn_mpls_lbl_8 - overwrite: true - type: keyword - - name: cn_mpls_lbl_9 - overwrite: true - type: keyword - - name: cn_mplstoplabel - overwrite: true - type: keyword - - name: cn_mplstoplabip - overwrite: true - type: keyword - - name: cn_mul_dst_byt - overwrite: true - type: keyword - - name: cn_mul_dst_pks - overwrite: true - type: keyword - - name: cn_muligmptype - overwrite: true - type: keyword - - name: cn_sampalgo - overwrite: true - type: keyword - - name: cn_sampint - overwrite: true - type: keyword - - name: cn_seqctr - overwrite: true - type: keyword - - name: cn_spackets - overwrite: true - type: keyword - - name: cn_src_tos - overwrite: true - type: keyword - - name: cn_src_vlan - overwrite: true - type: keyword - - name: cn_sysuptime - overwrite: true - type: keyword - - name: cn_template_id - overwrite: true - type: keyword - - name: cn_totbytsexp - overwrite: true - type: keyword - - name: cn_totflowexp - overwrite: true - type: keyword - - name: cn_totpcktsexp - overwrite: true - type: keyword - - name: cn_unixnanosecs - overwrite: true - type: keyword - - name: cn_v6flowlabel - overwrite: true - type: keyword - - name: cn_v6optheaders - overwrite: true - type: keyword - - name: comp_class - overwrite: true - type: keyword - - name: comp_name - overwrite: true - type: keyword - - name: comp_rbytes - overwrite: true - type: keyword - - name: comp_sbytes - overwrite: true - type: keyword - - name: cpu_data - overwrite: true - type: keyword - - name: criticality - overwrite: true - type: keyword - - name: cs_agency_dst - overwrite: true - type: keyword - - name: cs_analyzedby - overwrite: true - type: keyword - - name: cs_av_other - overwrite: true - type: keyword - - name: cs_av_primary - overwrite: true - type: keyword - - name: cs_av_secondary - overwrite: true - type: keyword - - name: cs_bgpv6nxthop - overwrite: true - type: keyword - - name: cs_bit9status - overwrite: true - type: keyword - - name: cs_context - overwrite: true - type: keyword - - name: cs_control - overwrite: true - type: keyword - - name: cs_data - overwrite: true - type: keyword - - name: cs_datecret - overwrite: true - type: keyword - - name: cs_dst_tld - overwrite: true - type: keyword - - name: cs_eth_dst_ven - overwrite: true - type: keyword - - name: cs_eth_src_ven - overwrite: true - type: keyword - - name: cs_event_uuid - overwrite: true - type: keyword - - name: cs_filetype - overwrite: true - type: keyword - - name: cs_fld - overwrite: true - type: keyword - - name: cs_if_desc - overwrite: true - type: keyword - - name: cs_if_name - overwrite: true - type: keyword - - name: cs_ip_next_hop - overwrite: true - type: keyword - - name: cs_ipv4dstpre - overwrite: true - type: keyword - - name: cs_ipv4srcpre - overwrite: true - type: keyword - - name: cs_lifetime - overwrite: true - type: keyword - - name: cs_log_medium - overwrite: true - type: keyword - - name: cs_loginname - overwrite: true - type: keyword - - name: cs_modulescore - overwrite: true - type: keyword - - name: cs_modulesign - overwrite: true - type: keyword - - name: cs_opswatresult - overwrite: true - type: keyword - - name: cs_payload - overwrite: true - type: keyword - - name: cs_registrant - overwrite: true - type: keyword - - name: cs_registrar - overwrite: true - type: keyword - - name: cs_represult - overwrite: true - type: keyword - - name: cs_rpayload - overwrite: true - type: keyword - - name: cs_sampler_name - overwrite: true - type: keyword - - name: cs_sourcemodule - overwrite: true - type: keyword - - name: cs_streams - overwrite: true - type: keyword - - name: cs_targetmodule - overwrite: true - type: keyword - - name: cs_v6nxthop - overwrite: true - type: keyword - - name: cs_whois_server - overwrite: true - type: keyword - - name: cs_yararesult - overwrite: true - type: keyword - - name: description - overwrite: true - type: keyword - - name: devvendor - overwrite: true - type: keyword - - name: distance - overwrite: true - type: keyword - - name: dstburb - overwrite: true - type: keyword - - name: edomain - overwrite: true - type: keyword - - name: edomaub - overwrite: true - type: keyword - - name: euid - overwrite: true - type: keyword - - name: facility - overwrite: true - type: keyword - - name: finterface - overwrite: true - type: keyword - - name: flags - overwrite: true - type: keyword - - name: gaddr - overwrite: true - type: keyword - - name: id3 - overwrite: true - type: keyword - - name: im_buddyname - overwrite: true - type: keyword - - name: im_croomid - overwrite: true - type: keyword - - name: im_croomtype - overwrite: true - type: keyword - - name: im_members - overwrite: true - type: keyword - - name: im_username - overwrite: true - type: keyword - - name: ipkt - overwrite: true - type: keyword - - name: ipscat - overwrite: true - type: keyword - - name: ipspri - overwrite: true - type: keyword - - name: latitude - overwrite: true - type: keyword - - name: linenum - overwrite: true - type: keyword - - name: list_name - overwrite: true - type: keyword - - name: load_data - overwrite: true - type: keyword - - name: location_floor - overwrite: true - type: keyword - - name: location_mark - overwrite: true - type: keyword - - name: log_id - overwrite: true - type: keyword - - name: log_type - overwrite: true - type: keyword - - name: logid - overwrite: true - type: keyword - - name: logip - overwrite: true - type: keyword - - name: logname - overwrite: true - type: keyword - - name: longitude - overwrite: true - type: keyword - - name: lport - overwrite: true - type: keyword - - name: mbug_data - overwrite: true - type: keyword - - name: misc_name - overwrite: true - type: keyword - - name: msg_type - overwrite: true - type: keyword - - name: msgid - overwrite: true - type: keyword - - name: netsessid - overwrite: true - type: keyword - - name: num - overwrite: true - type: keyword - - name: number1 - overwrite: true - type: keyword - - name: number2 - overwrite: true - type: keyword - - name: nwwn - overwrite: true - type: keyword - - name: object - overwrite: true - type: keyword - - name: operation - overwrite: true - type: keyword - - name: opkt - overwrite: true - type: keyword - - name: orig_from - overwrite: true - type: keyword - - name: owner_id - overwrite: true - type: keyword - - name: p_action - overwrite: true - type: keyword - - name: p_filter - overwrite: true - type: keyword - - name: p_group_object - overwrite: true - type: keyword - - name: p_id - overwrite: true - type: keyword - - name: p_msgid1 - overwrite: true - type: keyword - - name: p_msgid2 - overwrite: true - type: keyword - - name: p_result1 - overwrite: true - type: keyword - - name: password_chg - overwrite: true - type: keyword - - name: password_expire - overwrite: true - type: keyword - - name: permgranted - overwrite: true - type: keyword - - name: permwanted - overwrite: true - type: keyword - - name: pgid - overwrite: true - type: keyword - - name: policyUUID - overwrite: true - type: keyword - - name: prog_asp_num - overwrite: true - type: keyword - - name: program - overwrite: true - type: keyword - - name: real_data - overwrite: true - type: keyword - - name: rec_asp_device - overwrite: true - type: keyword - - name: rec_asp_num - overwrite: true - type: keyword - - name: rec_library - overwrite: true - type: keyword - - name: recordnum - overwrite: true - type: keyword - - name: ruid - overwrite: true - type: keyword - - name: sburb - overwrite: true - type: keyword - - name: sdomain_fld - overwrite: true - type: keyword - - name: sec - overwrite: true - type: keyword - - name: sensorname - overwrite: true - type: keyword - - name: seqnum - overwrite: true - type: keyword - - name: session - overwrite: true - type: keyword - - name: sessiontype - overwrite: true - type: keyword - - name: sigUUID - overwrite: true - type: keyword - - name: spi - overwrite: true - type: keyword - - name: srcburb - overwrite: true - type: keyword - - name: srcdom - overwrite: true - type: keyword - - name: srcservice - overwrite: true - type: keyword - - name: state - overwrite: true - type: keyword - - name: status1 - overwrite: true - type: keyword - - name: svcno - overwrite: true - type: keyword - - name: system - overwrite: true - type: keyword - - name: tbdstr1 - overwrite: true - type: keyword - - name: tgtdom - overwrite: true - type: keyword - - name: tgtdomain - overwrite: true - type: keyword - - name: threshold - overwrite: true - type: keyword - - name: type1 - overwrite: true - type: keyword - - name: udb_class - overwrite: true - type: keyword - - name: url_fld - overwrite: true - type: keyword - - name: user_div - overwrite: true - type: keyword - - name: userid - overwrite: true - type: keyword - - name: username_fld - overwrite: true - type: keyword - - name: utcstamp - overwrite: true - type: keyword - - name: v_instafname - overwrite: true - type: keyword - - name: virt_data - overwrite: true - type: keyword - - name: vpnid - overwrite: true - type: keyword - - name: autorun_type - overwrite: true - type: keyword - description: This is used to capture Auto Run type - - name: cc_number - overwrite: true - type: long - description: Valid Credit Card Numbers only - - name: content - overwrite: true - type: keyword - description: This key captures the content type from protocol headers - - name: ein_number - overwrite: true - type: long - description: Employee Identification Numbers only - - name: found - overwrite: true - type: keyword - description: This is used to capture the results of regex match - - name: language - overwrite: true - type: keyword - description: This is used to capture list of languages the client support and - what it prefers - - name: lifetime - overwrite: true - type: long - description: This key is used to capture the session lifetime in seconds. - - name: link - overwrite: true - type: keyword - description: This key is used to link the sessions together. This key should - never be used to parse Meta data from a session (Logs/Packets) Directly, this - is a Reserved key in NetWitness - - name: match - overwrite: true - type: keyword - description: This key is for regex match name from search.ini - - name: param_dst - overwrite: true - type: keyword - description: This key captures the command line/launch argument of the target - process or file - - name: param_src - overwrite: true - type: keyword - description: This key captures source parameter - - name: search_text - overwrite: true - type: keyword - description: This key captures the Search Text used - - name: sig_name - overwrite: true - type: keyword - description: This key is used to capture the Signature Name only. - - name: snmp_value - overwrite: true - type: keyword - description: SNMP set request value - - name: streams - overwrite: true - type: long - description: This key captures number of streams in session - - name: db - overwrite: true - type: group - fields: - - name: index - overwrite: true - type: keyword - description: This key captures IndexID of the index. - - name: instance - overwrite: true - type: keyword - description: This key is used to capture the database server instance name - - name: database - overwrite: true - type: keyword - description: This key is used to capture the name of a database or an instance - as seen in a session - - name: transact_id - overwrite: true - type: keyword - description: This key captures the SQL transantion ID of the current session - - name: permissions - overwrite: true - type: keyword - description: This key captures permission or privilege level assigned to a resource. - - name: table_name - overwrite: true - type: keyword - description: This key is used to capture the table name - - name: db_id - overwrite: true - type: keyword - description: This key is used to capture the unique identifier for a database - - name: db_pid - overwrite: true - type: long - description: This key captures the process id of a connection with database - server - - name: lread - overwrite: true - type: long - description: This key is used for the number of logical reads - - name: lwrite - overwrite: true - type: long - description: This key is used for the number of logical writes - - name: pread - overwrite: true - type: long - description: This key is used for the number of physical writes - - name: network - overwrite: true - type: group - fields: - - name: alias_host - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a hostname is not clear.Also it captures the Device Hostname. Any Hostname - that isnt ad.computer. - - name: domain - overwrite: true - type: keyword - - name: host_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Hostname" - - name: network_service - overwrite: true - type: keyword - description: This is used to capture layer 7 protocols/service names - - name: interface - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of an interface is not clear - - name: network_port - overwrite: true - type: long - description: 'Deprecated, use port. NOTE: There is a type discrepancy as currently - used, TM: Int32, INDEX: UInt64 (why neither chose the correct UInt16?!)' - - name: eth_host - overwrite: true - type: keyword - description: Deprecated, use alias.mac - - name: sinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Interface" - - name: dinterface - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Interface" - - name: vlan - overwrite: true - type: long - description: This key should only be used to capture the ID of the Virtual LAN - - name: zone_src - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Source Zone." - - name: zone - overwrite: true - type: keyword - description: This key should be used when the source or destination context - of a Zone is not clear - - name: zone_dst - overwrite: true - type: keyword - description: "This key should only be used when it\u2019s a Destination Zone." - - name: gateway - overwrite: true - type: keyword - description: This key is used to capture the IP Address of the gateway - - name: icmp_type - overwrite: true - type: long - description: This key is used to capture the ICMP type only - - name: mask - overwrite: true - type: keyword - description: This key is used to capture the device network IPmask. - - name: icmp_code - overwrite: true - type: long - description: This key is used to capture the ICMP code only - - name: protocol_detail - overwrite: true - type: keyword - description: This key should be used to capture additional protocol information - - name: dmask - overwrite: true - type: keyword - description: This key is used for Destionation Device network mask - - name: port - overwrite: true - type: long - description: This key should only be used to capture a Network Port when the - directionality is not clear - - name: smask - overwrite: true - type: keyword - description: This key is used for capturing source Network Mask - - name: netname - overwrite: true - type: keyword - description: This key is used to capture the network name associated with an - IP range. This is configured by the end user. - - name: paddr - overwrite: true - type: ip - description: Deprecated - - name: faddr - overwrite: true - type: keyword - - name: lhost - overwrite: true - type: keyword - - name: origin - overwrite: true - type: keyword - - name: remote_domain_id - overwrite: true - type: keyword - - name: addr - overwrite: true - type: keyword - - name: dns_a_record - overwrite: true - type: keyword - - name: dns_ptr_record - overwrite: true - type: keyword - - name: fhost - overwrite: true - type: keyword - - name: fport - overwrite: true - type: keyword - - name: laddr - overwrite: true - type: keyword - - name: linterface - overwrite: true - type: keyword - - name: phost - overwrite: true - type: keyword - - name: ad_computer_dst - overwrite: true - type: keyword - description: Deprecated, use host.dst - - name: eth_type - overwrite: true - type: long - description: This key is used to capture Ethernet Type, Used for Layer 3 Protocols - Only - - name: ip_proto - overwrite: true - type: long - description: This key should be used to capture the Protocol number, all the - protocol nubers are converted into string in UI - - name: dns_cname_record - overwrite: true - type: keyword - - name: dns_id - overwrite: true - type: keyword - - name: dns_opcode - overwrite: true - type: keyword - - name: dns_resp - overwrite: true - type: keyword - - name: dns_type - overwrite: true - type: keyword - - name: domain1 - overwrite: true - type: keyword - - name: host_type - overwrite: true - type: keyword - - name: packet_length - overwrite: true - type: keyword - - name: host_orig - overwrite: true - type: keyword - description: This is used to capture the original hostname in case of a Forwarding - Agent or a Proxy in between. - - name: rpayload - overwrite: true - type: keyword - description: This key is used to capture the total number of payload bytes seen - in the retransmitted packets. - - name: vlan_name - overwrite: true - type: keyword - description: This key should only be used to capture the name of the Virtual - LAN - - name: investigations - overwrite: true - type: group - fields: - - name: ec_activity - overwrite: true - type: keyword - description: This key captures the particular event activity(Ex:Logoff) - - name: ec_theme - overwrite: true - type: keyword - description: This key captures the Theme of a particular Event(Ex:Authentication) - - name: ec_subject - overwrite: true - type: keyword - description: This key captures the Subject of a particular Event(Ex:User) - - name: ec_outcome - overwrite: true - type: keyword - description: This key captures the outcome of a particular Event(Ex:Success) - - name: event_cat - overwrite: true - type: long - description: This key captures the Event category number - - name: event_cat_name - overwrite: true - type: keyword - description: This key captures the event category name corresponding to the - event cat code - - name: event_vcat - overwrite: true - type: keyword - description: This is a vendor supplied category. This should be used in situations - where the vendor has adopted their own event_category taxonomy. - - name: analysis_file - overwrite: true - type: keyword - description: This is used to capture all indicators used in a File Analysis. - This key should be used to capture an analysis of a file - - name: analysis_service - overwrite: true - type: keyword - description: This is used to capture all indicators used in a Service Analysis. - This key should be used to capture an analysis of a service - - name: analysis_session - overwrite: true - type: keyword - description: This is used to capture all indicators used for a Session Analysis. - This key should be used to capture an analysis of a session - - name: boc - overwrite: true - type: keyword - description: This is used to capture behaviour of compromise - - name: eoc - overwrite: true - type: keyword - description: This is used to capture Enablers of Compromise - - name: inv_category - overwrite: true - type: keyword - description: This used to capture investigation category - - name: inv_context - overwrite: true - type: keyword - description: This used to capture investigation context - - name: ioc - overwrite: true - type: keyword - description: This is key capture indicator of compromise - - name: counters - overwrite: true - type: group - fields: - - name: dclass_c1 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c1.str only - - name: dclass_c2 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c2.str only - - name: event_counter - overwrite: true - type: long - description: This is used to capture the number of times an event repeated - - name: dclass_r1 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r1.str only - - name: dclass_c3 - overwrite: true - type: long - description: This is a generic counter key that should be used with the label - dclass.c3.str only - - name: dclass_c1_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c1 only - - name: dclass_c2_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c2 only - - name: dclass_r1_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r1 only - - name: dclass_r2 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r2.str only - - name: dclass_c3_str - overwrite: true - type: keyword - description: This is a generic counter string key that should be used with the - label dclass.c3 only - - name: dclass_r3 - overwrite: true - type: keyword - description: This is a generic ratio key that should be used with the label - dclass.r3.str only - - name: dclass_r2_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r2 only - - name: dclass_r3_str - overwrite: true - type: keyword - description: This is a generic ratio string key that should be used with the - label dclass.r3 only - - name: identity - overwrite: true - type: group - fields: - - name: auth_method - overwrite: true - type: keyword - description: This key is used to capture authentication methods used only - - name: user_role - overwrite: true - type: keyword - description: This key is used to capture the Role of a user only - - name: dn - overwrite: true - type: keyword - description: X.500 (LDAP) Distinguished Name - - name: logon_type - overwrite: true - type: keyword - description: This key is used to capture the type of logon method used. - - name: profile - overwrite: true - type: keyword - description: This key is used to capture the user profile - - name: accesses - overwrite: true - type: keyword - description: This key is used to capture actual privileges used in accessing - an object - - name: realm - overwrite: true - type: keyword - description: Radius realm or similar grouping of accounts - - name: user_sid_dst - overwrite: true - type: keyword - description: This key captures Destination User Session ID - - name: dn_src - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that is used in a context that - indicates a Source dn - - name: org - overwrite: true - type: keyword - description: This key captures the User organization - - name: dn_dst - overwrite: true - type: keyword - description: An X.500 (LDAP) Distinguished name that used in a context that - indicates a Destination dn - - name: firstname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: lastname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: user_dept - overwrite: true - type: keyword - description: User's Department Names only - - name: user_sid_src - overwrite: true - type: keyword - description: This key captures Source User Session ID - - name: federated_sp - overwrite: true - type: keyword - description: This key is the Federated Service Provider. This is the application - requesting authentication. - - name: federated_idp - overwrite: true - type: keyword - description: This key is the federated Identity Provider. This is the server - providing the authentication. - - name: logon_type_desc - overwrite: true - type: keyword - description: This key is used to capture the textual description of an integer - logon type as stored in the meta key 'logon.type'. - - name: middlename - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: password - overwrite: true - type: keyword - description: This key is for Passwords seen in any session, plain text or encrypted - - name: host_role - overwrite: true - type: keyword - description: This key should only be used to capture the role of a Host Machine - - name: ldap - overwrite: true - type: keyword - description: "This key is for Uninterpreted LDAP values. Ldap Values that don\u2019\ - t have a clear query or response context" - - name: ldap_query - overwrite: true - type: keyword - description: This key is the Search criteria from an LDAP search - - name: ldap_response - overwrite: true - type: keyword - description: This key is to capture Results from an LDAP search - - name: owner - overwrite: true - type: keyword - description: This is used to capture username the process or service is running - as, the author of the task - - name: service_account - overwrite: true - type: keyword - description: This key is a windows specific key, used for capturing name of - the account a service (referenced in the event) is running under. Legacy Usage - - name: email - overwrite: true - type: group - fields: - - name: email_dst - overwrite: true - type: keyword - description: This key is used to capture the Destination email address only, - when the destination context is not clear use email - - name: email_src - overwrite: true - type: keyword - description: This key is used to capture the source email address only, when - the source context is not clear use email - - name: subject - overwrite: true - type: keyword - description: This key is used to capture the subject string from an Email only. - - name: email - overwrite: true - type: keyword - description: This key is used to capture a generic email address where the source - or destination context is not clear - - name: trans_from - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: trans_to - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: file - overwrite: true - type: group - fields: - - name: privilege - overwrite: true - type: keyword - description: Deprecated, use permissions - - name: attachment - overwrite: true - type: keyword - description: This key captures the attachment file name - - name: filesystem - overwrite: true - type: keyword - - name: binary - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: filename_dst - overwrite: true - type: keyword - description: This is used to capture name of the file targeted by the action - - name: filename_src - overwrite: true - type: keyword - description: This is used to capture name of the parent filename, the file which - performed the action - - name: filename_tmp - overwrite: true - type: keyword - - name: directory_dst - overwrite: true - type: keyword - description: This key is used to capture the directory of the target process - or file - - name: directory_src - overwrite: true - type: keyword - description: This key is used to capture the directory of the source process - or file - - name: file_entropy - overwrite: true - type: double - description: This is used to capture entropy vale of a file - - name: file_vendor - overwrite: true - type: keyword - description: This is used to capture Company name of file located in version_info - - name: task_name - overwrite: true - type: keyword - description: This is used to capture name of the task - - name: web - overwrite: true - type: group - fields: - - name: fqdn - overwrite: true - type: keyword - description: Fully Qualified Domain Names - - name: web_cookie - overwrite: true - type: keyword - description: This key is used to capture the Web cookies specifically. - - name: alias_host - overwrite: true - type: keyword - - name: reputation_num - overwrite: true - type: double - description: Reputation Number of an entity. Typically used for Web Domains - - name: web_ref_domain - overwrite: true - type: keyword - description: Web referer's domain - - name: web_ref_query - overwrite: true - type: keyword - description: This key captures Web referer's query portion of the URL - - name: remote_domain - overwrite: true - type: keyword - - name: web_ref_page - overwrite: true - type: keyword - description: This key captures Web referer's page information - - name: web_ref_root - overwrite: true - type: keyword - description: Web referer's root URL path - - name: cn_asn_dst - overwrite: true - type: keyword - - name: cn_rpackets - overwrite: true - type: keyword - - name: urlpage - overwrite: true - type: keyword - - name: urlroot - overwrite: true - type: keyword - - name: p_url - overwrite: true - type: keyword - - name: p_user_agent - overwrite: true - type: keyword - - name: p_web_cookie - overwrite: true - type: keyword - - name: p_web_method - overwrite: true - type: keyword - - name: p_web_referer - overwrite: true - type: keyword - - name: web_extension_tmp - overwrite: true - type: keyword - - name: web_page - overwrite: true - type: keyword - - name: threat - overwrite: true - type: group - fields: - - name: threat_category - overwrite: true - type: keyword - description: This key captures Threat Name/Threat Category/Categorization of - alert - - name: threat_desc - overwrite: true - type: keyword - description: This key is used to capture the threat description from the session - directly or inferred - - name: alert - overwrite: true - type: keyword - description: This key is used to capture name of the alert - - name: threat_source - overwrite: true - type: keyword - description: This key is used to capture source of the threat - - name: crypto - overwrite: true - type: group - fields: - - name: crypto - overwrite: true - type: keyword - description: This key is used to capture the Encryption Type or Encryption Key - only - - name: cipher_src - overwrite: true - type: keyword - description: This key is for Source (Client) Cipher - - name: cert_subject - overwrite: true - type: keyword - description: This key is used to capture the Certificate organization only - - name: peer - overwrite: true - type: keyword - description: This key is for Encryption peer's IP Address - - name: cipher_size_src - overwrite: true - type: long - description: This key captures Source (Client) Cipher Size - - name: ike - overwrite: true - type: keyword - description: IKE negotiation phase. - - name: scheme - overwrite: true - type: keyword - description: This key captures the Encryption scheme used - - name: peer_id - overwrite: true - type: keyword - description: "This key is for Encryption peer\u2019s identity" - - name: sig_type - overwrite: true - type: keyword - description: This key captures the Signature Type - - name: cert_issuer - overwrite: true - type: keyword - - name: cert_host_name - overwrite: true - type: keyword - description: Deprecated key defined only in table map. - - name: cert_error - overwrite: true - type: keyword - description: This key captures the Certificate Error String - - name: cipher_dst - overwrite: true - type: keyword - description: This key is for Destination (Server) Cipher - - name: cipher_size_dst - overwrite: true - type: long - description: This key captures Destination (Server) Cipher Size - - name: ssl_ver_src - overwrite: true - type: keyword - description: Deprecated, use version - - name: d_certauth - overwrite: true - type: keyword - - name: s_certauth - overwrite: true - type: keyword - - name: ike_cookie1 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase One" - - name: ike_cookie2 - overwrite: true - type: keyword - description: "ID of the negotiation \u2014 sent for ISAKMP Phase Two" - - name: cert_checksum - overwrite: true - type: keyword - - name: cert_host_cat - overwrite: true - type: keyword - description: This key is used for the hostname category value of a certificate - - name: cert_serial - overwrite: true - type: keyword - description: This key is used to capture the Certificate serial number only - - name: cert_status - overwrite: true - type: keyword - description: This key captures Certificate validation status - - name: ssl_ver_dst - overwrite: true - type: keyword - description: Deprecated, use version - - name: cert_keysize - overwrite: true - type: keyword - - name: cert_username - overwrite: true - type: keyword - - name: https_insact - overwrite: true - type: keyword - - name: https_valid - overwrite: true - type: keyword - - name: cert_ca - overwrite: true - type: keyword - description: This key is used to capture the Certificate signing authority only - - name: cert_common - overwrite: true - type: keyword - description: This key is used to capture the Certificate common name only - - name: wireless - overwrite: true - type: group - fields: - - name: wlan_ssid - overwrite: true - type: keyword - description: This key is used to capture the ssid of a Wireless Session - - name: access_point - overwrite: true - type: keyword - description: This key is used to capture the access point name. - - name: wlan_channel - overwrite: true - type: long - description: This is used to capture the channel names - - name: wlan_name - overwrite: true - type: keyword - description: This key captures either WLAN number/name - - name: storage - overwrite: true - type: group - fields: - - name: disk_volume - overwrite: true - type: keyword - description: A unique name assigned to logical units (volumes) within a physical - disk - - name: lun - overwrite: true - type: keyword - description: Logical Unit Number.This key is a very useful concept in Storage. - - name: pwwn - overwrite: true - type: keyword - description: This uniquely identifies a port on a HBA. - - name: physical - overwrite: true - type: group - fields: - - name: org_dst - overwrite: true - type: keyword - description: This is used to capture the destination organization based on the - GEOPIP Maxmind database. - - name: org_src - overwrite: true - type: keyword - description: This is used to capture the source organization based on the GEOPIP - Maxmind database. - - name: healthcare - overwrite: true - type: group - fields: - - name: patient_fname - overwrite: true - type: keyword - description: This key is for First Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_id - overwrite: true - type: keyword - description: This key captures the unique ID for a patient - - name: patient_lname - overwrite: true - type: keyword - description: This key is for Last Names only, this is used for Healthcare predominantly - to capture Patients information - - name: patient_mname - overwrite: true - type: keyword - description: This key is for Middle Names only, this is used for Healthcare - predominantly to capture Patients information - - name: endpoint - overwrite: true - type: group - fields: - - name: host_state - overwrite: true - type: keyword - description: This key is used to capture the current state of the machine, such - as blacklisted, infected, firewall - disabled and so on - - name: registry_key - overwrite: true - type: keyword - description: This key captures the path to the registry key - - name: registry_value - overwrite: true - type: keyword - description: This key captures values or decorators used within a registry entry diff --git a/x-pack/filebeat/module/f5/firepass/config/input.yml b/x-pack/filebeat/module/f5/firepass/config/input.yml deleted file mode 100644 index 467922155dc..00000000000 --- a/x-pack/filebeat/module/f5/firepass/config/input.yml +++ /dev/null @@ -1,45 +0,0 @@ -{{ if eq .input "file" }} - -type: log -paths: - {{ range $i, $path := .paths }} -- {{$path}} - {{ end }} -exclude_files: [".gz$"] - -{{ else }} - -type: {{.input}} -host: "{{.syslog_host}}:{{.syslog_port}}" - -{{ end }} - -tags: {{.tags | tojson}} -publisher_pipeline.disable_host: {{ inList .tags "forwarded" }} - -fields_under_root: true -fields: - observer: - vendor: "F5" - product: "FirePass" - type: "VPN" - -processors: -- script: - lang: javascript - params: - ecs: true - rsa: {{.rsa_fields}} - tz_offset: {{.tz_offset}} - keep_raw: {{.keep_raw_fields}} - debug: {{.debug}} - files: - - ${path.home}/module/f5/firepass/config/liblogparser.js - - ${path.home}/module/f5/firepass/config/pipeline.js -{{ if .community_id }} -- community_id: ~ -{{ end }} -- add_fields: - target: '' - fields: - ecs.version: 1.5.0 diff --git a/x-pack/filebeat/module/f5/firepass/config/liblogparser.js b/x-pack/filebeat/module/f5/firepass/config/liblogparser.js deleted file mode 100644 index c8cf5e2ee06..00000000000 --- a/x-pack/filebeat/module/f5/firepass/config/liblogparser.js +++ /dev/null @@ -1,2344 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -/* jshint -W014,-W016,-W097,-W116 */ - -var processor = require("processor"); -var console = require("console"); - -var FLAG_FIELD = "log.flags"; -var FIELDS_OBJECT = "nwparser"; -var FIELDS_PREFIX = FIELDS_OBJECT + "."; - -var defaults = { - debug: false, - ecs: true, - rsa: false, - keep_raw: false, - tz_offset: "local", - strip_priority: true -}; - -var saved_flags = null; -var debug; -var map_ecs; -var map_rsa; -var keep_raw; -var device; -var tz_offset; -var strip_priority; - -// Register params from configuration. -function register(params) { - debug = params.debug !== undefined ? params.debug : defaults.debug; - map_ecs = params.ecs !== undefined ? params.ecs : defaults.ecs; - map_rsa = params.rsa !== undefined ? params.rsa : defaults.rsa; - keep_raw = params.keep_raw !== undefined ? params.keep_raw : defaults.keep_raw; - tz_offset = parse_tz_offset(params.tz_offset !== undefined? params.tz_offset : defaults.tz_offset); - strip_priority = params.strip_priority !== undefined? params.strip_priority : defaults.strip_priority; - device = new DeviceProcessor(); -} - -function parse_tz_offset(offset) { - var date; - var m; - switch(offset) { - // local uses the tz offset from the JS VM. - case "local": - date = new Date(); - // Reversing the sign as we the offset from UTC, not to UTC. - return parse_local_tz_offset(-date.getTimezoneOffset()); - // event uses the tz offset from event.timezone (add_locale processor). - case "event": - return offset; - // Otherwise a tz offset in the form "[+-][0-9]{4}" is required. - default: - m = offset.match(/^([+\-])([0-9]{2}):?([0-9]{2})?$/); - if (m === null || m.length !== 4) { - throw("bad timezone offset: '" + offset + "'. Must have the form +HH:MM"); - } - return m[1] + m[2] + ":" + (m[3]!==undefined? m[3] : "00"); - } -} - -function parse_local_tz_offset(minutes) { - var neg = minutes < 0; - minutes = Math.abs(minutes); - var min = minutes % 60; - var hours = Math.floor(minutes / 60); - var pad2digit = function(n) { - if (n < 10) { return "0" + n;} - return "" + n; - }; - return (neg? "-" : "+") + pad2digit(hours) + ":" + pad2digit(min); -} - -function process(evt) { - // Function register is only called by the processor when `params` are set - // in the processor config. - if (device === undefined) { - register(defaults); - } - return device.process(evt); -} - -function processor_chain(subprocessors) { - var builder = new processor.Chain(); - subprocessors.forEach(builder.Add); - return builder.Build().Run; -} - -function linear_select(subprocessors) { - return function (evt) { - var flags = evt.Get(FLAG_FIELD); - var i; - for (i = 0; i < subprocessors.length; i++) { - evt.Delete(FLAG_FIELD); - if (debug) console.warn("linear_select trying entry " + i); - subprocessors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) == null) break; - if (debug) console.warn("linear_select failed entry " + i); - } - if (flags !== null) { - evt.Put(FLAG_FIELD, flags); - } - if (debug) { - if (i < subprocessors.length) { - console.warn("linear_select matched entry " + i); - } else { - console.warn("linear_select didn't match"); - } - } - }; -} - -function conditional(opt) { - return function(evt) { - if (opt.if(evt)) { - opt.then(evt); - } else if (opt.else) { - opt.else(evt); - } - }; -} - -var strip_syslog_priority = (function() { - var isEnabled = function() { return strip_priority === true; }; - var fetchPRI = field("_pri"); - var fetchPayload = field("payload"); - var removePayload = remove(["payload"]); - var cleanup = remove(["_pri", "payload"]); - var onMatch = function(evt) { - var pri, priStr = fetchPRI(evt); - if (priStr != null - && 0 < priStr.length && priStr.length < 4 - && !isNaN((pri = Number(priStr))) - && 0 <= pri && pri < 192) { - var severity = pri & 7, - facility = pri >> 3; - setc("_severity", "" + severity)(evt); - setc("_facility", "" + facility)(evt); - // Replace message with priority stripped. - evt.Put("message", fetchPayload(evt)); - removePayload(evt); - } else { - // not a valid syslog PRI, cleanup. - cleanup(evt); - } - }; - return conditional({ - if: isEnabled, - then: cleanup_flags(match( - "STRIP_PRI", - "message", - "<%{_pri}>%{payload}", - onMatch - )) - }); -})(); - -function match(id, src, pattern, on_success) { - var dissect = new processor.Dissect({ - field: src, - tokenizer: pattern, - target_prefix: FIELDS_OBJECT, - ignore_failure: true, - overwrite_keys: true, - trim_values: "right" - }); - return function (evt) { - var msg = evt.Get(src); - dissect.Run(evt); - var failed = evt.Get(FLAG_FIELD) != null; - if (debug) { - if (failed) { - console.debug("dissect fail: " + id + " field:" + src); - } else { - console.debug("dissect OK: " + id + " field:" + src); - } - console.debug(" expr: <<" + pattern + ">>"); - console.debug(" input: <<" + msg + ">>"); - } - if (on_success != null && !failed) { - on_success(evt); - } - }; -} - -function cleanup_flags(processor) { - return function(evt) { - processor(evt); - evt.Delete(FLAG_FIELD); - }; -} - -function all_match(opts) { - return function (evt) { - var i; - for (i = 0; i < opts.processors.length; i++) { - evt.Delete(FLAG_FIELD); - opts.processors[i](evt); - // Dissect processor succeeded? - if (evt.Get(FLAG_FIELD) != null) { - if (debug) console.warn("all_match failure at " + i); - if (opts.on_failure != null) opts.on_failure(evt); - return; - } - if (debug) console.warn("all_match success at " + i); - } - if (opts.on_success != null) opts.on_success(evt); - }; -} - -function msgid_select(mapping) { - return function (evt) { - var msgid = evt.Get(FIELDS_PREFIX + "messageid"); - if (msgid == null) { - if (debug) console.warn("msgid_select: no messageid captured!"); - return; - } - var next = mapping[msgid]; - if (next === undefined) { - if (debug) console.warn("msgid_select: no mapping for messageid:" + msgid); - return; - } - if (debug) console.info("msgid_select: matched key=" + msgid); - return next(evt); - }; -} - -function msg(msg_id, match) { - return function (evt) { - match(evt); - if (evt.Get(FLAG_FIELD) == null) { - evt.Put(FIELDS_PREFIX + "msg_id1", msg_id); - } - }; -} - -var start; - -function save_flags(evt) { - saved_flags = evt.Get(FLAG_FIELD); - evt.Put("event.original", evt.Get("message")); -} - -function restore_flags(evt) { - if (saved_flags !== null) { - evt.Put(FLAG_FIELD, saved_flags); - } - evt.Delete("message"); -} - -function constant(value) { - return function (evt) { - return value; - }; -} - -function field(name) { - var fullname = FIELDS_PREFIX + name; - return function (evt) { - return evt.Get(fullname); - }; -} - -function STRCAT(args) { - var s = ""; - var i; - for (i = 0; i < args.length; i++) { - s += args[i]; - } - return s; -} - -// TODO: Implement -function DIRCHK(args) { - unimplemented("DIRCHK"); -} - -function strictToInt(str) { - return str * 1; -} - -function CALC(args) { - if (args.length !== 3) { - console.warn("skipped call to CALC with " + args.length + " arguments."); - return; - } - var a = strictToInt(args[0]); - var b = strictToInt(args[2]); - if (isNaN(a) || isNaN(b)) { - console.warn("failed evaluating CALC arguments a='" + args[0] + "' b='" + args[2] + "'."); - return; - } - var result; - switch (args[1]) { - case "+": - result = a + b; - break; - case "-": - result = a - b; - break; - case "*": - result = a * b; - break; - default: - // Only * and + seen in the parsers. - console.warn("unknown CALC operation '" + args[1] + "'."); - return; - } - // Always return a string - return result !== undefined ? "" + result : result; -} - -var quoteChars = "\"'`"; -function RMQ(args) { - if(args.length !== 1) { - console.warn("RMQ: only one argument expected"); - return; - } - var value = args[0].trim(); - var n = value.length; - var char; - return n > 1 - && (char=value.charAt(0)) === value.charAt(n-1) - && quoteChars.indexOf(char) !== -1? - value.substr(1, n-2) - : value; -} - -function call(opts) { - var args = new Array(opts.args.length); - return function (evt) { - for (var i = 0; i < opts.args.length; i++) - if ((args[i] = opts.args[i](evt)) == null) return; - var result = opts.fn(args); - if (result != null) { - evt.Put(opts.dest, result); - } - }; -} - -function nop(evt) { -} - -function appendErrorMsg(evt, msg) { - var value = evt.Get("error.message"); - if (value == null) { - value = [msg]; - } else if (msg instanceof Array) { - value.push(msg); - } else { - value = [value, msg]; - } - evt.Put("error.message", value); -} - -function unimplemented(name) { - appendErrorMsg("unimplemented feature: " + name); -} - -function lookup(opts) { - return function (evt) { - var key = opts.key(evt); - if (key == null) return; - var value = opts.map.keyvaluepairs[key]; - if (value === undefined) { - value = opts.map.default; - } - if (value !== undefined) { - evt.Put(opts.dest, value(evt)); - } - }; -} - -function set(fields) { - return new processor.AddFields({ - target: FIELDS_OBJECT, - fields: fields, - }); -} - -function setf(dst, src) { - return function (evt) { - var val = evt.Get(FIELDS_PREFIX + src); - if (val != null) evt.Put(FIELDS_PREFIX + dst, val); - }; -} - -function setc(dst, value) { - return function (evt) { - evt.Put(FIELDS_PREFIX + dst, value); - }; -} - -function set_field(opts) { - return function (evt) { - var val = opts.value(evt); - if (val != null) evt.Put(opts.dest, val); - }; -} - -function dump(label) { - return function (evt) { - console.log("Dump of event at " + label + ": " + JSON.stringify(evt, null, "\t")); - }; -} - -function date_time_join_args(evt, arglist) { - var str = ""; - for (var i = 0; i < arglist.length; i++) { - var fname = FIELDS_PREFIX + arglist[i]; - var val = evt.Get(fname); - if (val != null) { - if (str !== "") str += " "; - str += val; - } else { - if (debug) console.warn("in date_time: input arg " + fname + " is not set"); - } - } - return str; -} - -function to2Digit(num) { - return num? (num < 10? "0" + num : num) : "00"; -} - -// Make two-digit dates 00-69 interpreted as 2000-2069 -// and dates 70-99 translated to 1970-1999. -var twoDigitYearEpoch = 70; -var twoDigitYearCentury = 2000; - -// This is to accept dates up to 2 days in the future, only used when -// no year is specified in a date. 2 days should be enough to account for -// time differences between systems and different tz offsets. -var maxFutureDelta = 2*24*60*60*1000; - -// DateContainer stores date fields and then converts those fields into -// a Date. Necessary because building a Date using its set() methods gives -// different results depending on the order of components. -function DateContainer(tzOffset) { - this.offset = tzOffset === undefined? "Z" : tzOffset; -} - -DateContainer.prototype = { - setYear: function(v) {this.year = v;}, - setMonth: function(v) {this.month = v;}, - setDay: function(v) {this.day = v;}, - setHours: function(v) {this.hours = v;}, - setMinutes: function(v) {this.minutes = v;}, - setSeconds: function(v) {this.seconds = v;}, - - setUNIX: function(v) {this.unix = v;}, - - set2DigitYear: function(v) { - this.year = v < twoDigitYearEpoch? twoDigitYearCentury + v : twoDigitYearCentury + v - 100; - }, - - toDate: function() { - if (this.unix !== undefined) { - return new Date(this.unix * 1000); - } - if (this.day === undefined || this.month === undefined) { - // Can't make a date from this. - return undefined; - } - if (this.year === undefined) { - // A date without a year. Set current year, or previous year - // if date would be in the future. - var now = new Date(); - this.year = now.getFullYear(); - var date = this.toDate(); - if (date.getTime() - now.getTime() > maxFutureDelta) { - date.setFullYear(now.getFullYear() - 1); - } - return date; - } - var MM = to2Digit(this.month); - var DD = to2Digit(this.day); - var hh = to2Digit(this.hours); - var mm = to2Digit(this.minutes); - var ss = to2Digit(this.seconds); - return new Date(this.year + "-" + MM + "-" + DD + "T" + hh + ":" + mm + ":" + ss + this.offset); - } -} - -function date_time_try_pattern(fmt, str, tzOffset) { - var date = new DateContainer(tzOffset); - var pos = date_time_try_pattern_at_pos(fmt, str, 0, date); - return pos !== undefined? date.toDate() : undefined; -} - -function date_time_try_pattern_at_pos(fmt, str, pos, date) { - var len = str.length; - for (var proc = 0; pos !== undefined && pos < len && proc < fmt.length; proc++) { - pos = fmt[proc](str, pos, date); - } - return pos; -} - -function date_time(opts) { - return function (evt) { - var tzOffset = opts.tz || tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var date = date_time_try_pattern(opts.fmts[i], str, tzOffset); - if (date !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, date); - return; - } - } - if (debug) console.warn("in date_time: id=" + opts.id + " FAILED: " + str); - }; -} - -var uA = 60 * 60 * 24; -var uD = 60 * 60 * 24; -var uF = 60 * 60; -var uG = 60 * 60 * 24 * 30; -var uH = 60 * 60; -var uI = 60 * 60; -var uJ = 60 * 60 * 24; -var uM = 60 * 60 * 24 * 30; -var uN = 60 * 60; -var uO = 1; -var uS = 1; -var uT = 60; -var uU = 60; -var uc = dc; - -function duration(opts) { - return function(evt) { - var str = date_time_join_args(evt, opts.args); - for (var i = 0; i < opts.fmts.length; i++) { - var seconds = duration_try_pattern(opts.fmts[i], str); - if (seconds !== undefined) { - evt.Put(FIELDS_PREFIX + opts.dest, seconds); - return; - } - } - if (debug) console.warn("in duration: id=" + opts.id + " (s) FAILED: " + str); - }; -} - -function duration_try_pattern(fmt, str) { - var secs = 0; - var pos = 0; - for (var i=0; i [ month_id , how many chars to skip if month in long form ] - "Jan": [0, 4], - "Feb": [1, 5], - "Mar": [2, 2], - "Apr": [3, 2], - "May": [4, 0], - "Jun": [5, 1], - "Jul": [6, 1], - "Aug": [7, 3], - "Sep": [8, 6], - "Oct": [9, 4], - "Nov": [10, 5], - "Dec": [11, 4], - "jan": [0, 4], - "feb": [1, 5], - "mar": [2, 2], - "apr": [3, 2], - "may": [4, 0], - "jun": [5, 1], - "jul": [6, 1], - "aug": [7, 3], - "sep": [8, 6], - "oct": [9, 4], - "nov": [10, 5], - "dec": [11, 4], -}; - -// var dC = undefined; -var dR = dateMonthName(true); -var dB = dateMonthName(false); -var dM = dateFixedWidthNumber("M", 2, 1, 12, DateContainer.prototype.setMonth); -var dG = dateVariableWidthNumber("G", 1, 12, DateContainer.prototype.setMonth); -var dD = dateFixedWidthNumber("D", 2, 1, 31, DateContainer.prototype.setDay); -var dF = dateVariableWidthNumber("F", 1, 31, DateContainer.prototype.setDay); -var dH = dateFixedWidthNumber("H", 2, 0, 24, DateContainer.prototype.setHours); -var dI = dateVariableWidthNumber("I", 0, 24, DateContainer.prototype.setHours); // Accept hours >12 -var dN = dateVariableWidthNumber("N", 0, 24, DateContainer.prototype.setHours); -var dT = dateFixedWidthNumber("T", 2, 0, 59, DateContainer.prototype.setMinutes); -var dU = dateVariableWidthNumber("U", 0, 59, DateContainer.prototype.setMinutes); -var dP = parseAMPM; // AM|PM -var dQ = parseAMPM; // A.M.|P.M -var dS = dateFixedWidthNumber("S", 2, 0, 60, DateContainer.prototype.setSeconds); -var dO = dateVariableWidthNumber("O", 0, 60, DateContainer.prototype.setSeconds); -var dY = dateFixedWidthNumber("Y", 2, 0, 99, DateContainer.prototype.set2DigitYear); -var dW = dateFixedWidthNumber("W", 4, 1000, 9999, DateContainer.prototype.setYear); -var dZ = parseHMS; -var dX = dateVariableWidthNumber("X", 0, 0x10000000000, DateContainer.prototype.setUNIX); - -// parseAMPM parses "A.M", "AM", "P.M", "PM" from logs. -// Only works if this modifier appears after the hour has been read from logs -// which is always the case in the 300 devices. -function parseAMPM(str, pos, date) { - var n = str.length; - var start = skipws(str, pos); - if (start + 2 > n) return; - var head = str.substr(start, 2).toUpperCase(); - var isPM = false; - var skip = false; - switch (head) { - case "A.": - skip = true; - /* falls through */ - case "AM": - break; - case "P.": - skip = true; - /* falls through */ - case "PM": - isPM = true; - break; - default: - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(head:" + head + ")"); - return; - } - pos = start + 2; - if (skip) { - if (pos+2 > n || str.substr(pos, 2).toUpperCase() !== "M.") { - if (debug) console.warn("can't parse pos " + start + " as AM/PM: " + str + "(tail)"); - return; - } - pos += 2; - } - var hh = date.hours; - if (isPM) { - // Accept existing hour in 24h format. - if (hh < 12) hh += 12; - } else { - if (hh === 12) hh = 0; - } - date.setHours(hh); - return pos; -} - -function parseHMS(str, pos, date) { - return date_time_try_pattern_at_pos([dN, dc(":"), dU, dc(":"), dO], str, pos, date); -} - -function skipws(str, pos) { - for ( var n = str.length; - pos < n && str.charAt(pos) === " "; - pos++) - ; - return pos; -} - -function skipdigits(str, pos) { - var c; - for (var n = str.length; - pos < n && (c = str.charAt(pos)) >= "0" && c <= "9"; - pos++) - ; - return pos; -} - -function dSkip(str, pos, date) { - var chr; - for (;pos < str.length && (chr=str[pos])<'0' || chr>'9'; pos++) {} - return pos < str.length? pos : undefined; -} - -function dateVariableWidthNumber(fmtChar, min, max, setter) { - return function (str, pos, date) { - var start = skipws(str, pos); - pos = skipdigits(str, start); - var s = str.substr(start, pos - start); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos; - } - return; - }; -} - -function dateFixedWidthNumber(fmtChar, width, min, max, setter) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + width > n) return; - var s = str.substr(pos, width); - var value = parseInt(s, 10); - if (value >= min && value <= max) { - setter.call(date, value); - return pos + width; - } - return; - }; -} - -// Short month name (Jan..Dec). -function dateMonthName(long) { - return function (str, pos, date) { - pos = skipws(str, pos); - var n = str.length; - if (pos + 3 > n) return; - var mon = str.substr(pos, 3); - var idx = shortMonths[mon]; - if (idx === undefined) { - idx = shortMonths[mon.toLowerCase()]; - } - if (idx === undefined) { - //console.warn("parsing date_time: '" + mon + "' is not a valid short month (%B)"); - return; - } - date.setMonth(idx[0]+1); - return pos + 3 + (long ? idx[1] : 0); - }; -} - -function url_wrapper(dst, src, fn) { - return function(evt) { - var value = evt.Get(FIELDS_PREFIX + src), result; - if (value != null && (result = fn(value))!== undefined) { - evt.Put(FIELDS_PREFIX + dst, result); - } else { - console.error(fn.name + " failed for '" + value + "'"); - } - }; -} - -// The following regular expression for parsing URLs from: -// https://github.com/wizard04wsu/URI_Parsing -// -// The MIT License (MIT) -// -// Copyright (c) 2014 Andrew Harrison -// -// Permission is hereby granted, free of charge, to any person obtaining a copy of -// this software and associated documentation files (the "Software"), to deal in -// the Software without restriction, including without limitation the rights to -// use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of -// the Software, and to permit persons to whom the Software is furnished to do so, -// subject to the following conditions: -// -// The above copyright notice and this permission notice shall be included in all -// copies or substantial portions of the Software. -// -// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS -// FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR -// COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -// IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -// CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -var uriRegExp = /^([a-z][a-z0-9+.\-]*):(?:\/\/((?:(?=((?:[a-z0-9\-._~!$&'()*+,;=:]|%[0-9A-F]{2})*))(\3)@)?(?=(\[[0-9A-F:.]{2,}\]|(?:[a-z0-9\-._~!$&'()*+,;=]|%[0-9A-F]{2})*))\5(?::(?=(\d*))\6)?)(\/(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\8)?|(\/?(?!\/)(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/]|%[0-9A-F]{2})*))\10)?)(?:\?(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\11)?(?:#(?=((?:[a-z0-9-._~!$&'()*+,;=:@\/?]|%[0-9A-F]{2})*))\12)?$/i; - -var uriScheme = 1; -var uriDomain = 5; -var uriPort = 6; -var uriPath = 7; -var uriPathAlt = 9; -var uriQuery = 11; - -function domain(dst, src) { - return url_wrapper(dst, src, extract_domain); -} - -function split_url(value) { - var m = value.match(uriRegExp); - if (m && m[uriDomain]) return m; - // Support input in the form "www.example.net/path", but not "/path". - m = ("null://" + value).match(uriRegExp); - if (m) return m; -} - -function extract_domain(value) { - var m = split_url(value); - if (m && m[uriDomain]) return m[uriDomain]; -} - -var extFromPage = /\.[^.]+$/; -function extract_ext(value) { - var page = extract_page(value); - if (page) { - var m = page.match(extFromPage); - if (m) return m[0]; - } -} - -function ext(dst, src) { - return url_wrapper(dst, src, extract_ext); -} - -function fqdn(dst, src) { - // TODO: fqdn and domain(eTLD+1) are currently the same. - return domain(dst, src); -} - -var pageFromPathRegExp = /\/([^\/]+)$/; -var pageName = 1; - -function extract_page(value) { - value = extract_path(value); - if (!value) return undefined; - var m = value.match(pageFromPathRegExp); - if (m) return m[pageName]; -} - -function page(dst, src) { - return url_wrapper(dst, src, extract_page); -} - -function extract_path(value) { - var m = split_url(value); - return m? m[uriPath] || m[uriPathAlt] : undefined; -} - -function path(dst, src) { - return url_wrapper(dst, src, extract_path); -} - -// Map common schemes to their default port. -// port has to be a string (will be converted at a later stage). -var schemePort = { - "ftp": "21", - "ssh": "22", - "http": "80", - "https": "443", -}; - -function extract_port(value) { - var m = split_url(value); - if (!m) return undefined; - if (m[uriPort]) return m[uriPort]; - if (m[uriScheme]) { - return schemePort[m[uriScheme]]; - } -} - -function port(dst, src) { - return url_wrapper(dst, src, extract_port); -} - -function extract_query(value) { - var m = split_url(value); - if (m && m[uriQuery]) return m[uriQuery]; -} - -function query(dst, src) { - return url_wrapper(dst, src, extract_query); -} - -function extract_root(value) { - var m = split_url(value); - if (m && m[uriDomain] && m[uriDomain]) { - var scheme = m[uriScheme] && m[uriScheme] !== "null"? - m[uriScheme] + "://" : ""; - var port = m[uriPort]? ":" + m[uriPort] : ""; - return scheme + m[uriDomain] + port; - } -} - -function root(dst, src) { - return url_wrapper(dst, src, extract_root); -} - -var ecs_mappings = { - "_facility": {convert: to_long, to:[{field: "log.syslog.facility.code", setter: fld_set}]}, - "_pri": {convert: to_long, to:[{field: "log.syslog.priority", setter: fld_set}]}, - "_severity": {convert: to_long, to:[{field: "log.syslog.severity.code", setter: fld_set}]}, - "action": {to:[{field: "event.action", setter: fld_prio, prio: 0}]}, - "administrator": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 4}]}, - "alias.ip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 3},{field: "related.ip", setter: fld_append}]}, - "alias.ipv6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 4},{field: "related.ip", setter: fld_append}]}, - "alias.mac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 1}]}, - "application": {to:[{field: "network.application", setter: fld_set}]}, - "bytes": {convert: to_long, to:[{field: "network.bytes", setter: fld_set}]}, - "c_domain": {to:[{field: "source.domain", setter: fld_prio, prio: 1}]}, - "c_logon_id": {to:[{field: "user.id", setter: fld_prio, prio: 2}]}, - "c_user_name": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 8}]}, - "c_username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 2}]}, - "cctld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 1}]}, - "child_pid": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 1}]}, - "child_pid_val": {to:[{field: "process.title", setter: fld_set}]}, - "child_process": {to:[{field: "process.name", setter: fld_prio, prio: 1}]}, - "city.dst": {to:[{field: "destination.geo.city_name", setter: fld_set}]}, - "city.src": {to:[{field: "source.geo.city_name", setter: fld_set}]}, - "daddr": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "daddr_v6": {convert: to_ip, to:[{field: "destination.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "ddomain": {to:[{field: "destination.domain", setter: fld_prio, prio: 0}]}, - "devicehostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "devicehostmac": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 0}]}, - "dhost": {to:[{field: "destination.address", setter: fld_set}]}, - "dinterface": {to:[{field: "observer.egress.interface.name", setter: fld_set}]}, - "direction": {to:[{field: "network.direction", setter: fld_set}]}, - "directory": {to:[{field: "file.directory", setter: fld_set}]}, - "dmacaddr": {convert: to_mac, to:[{field: "destination.mac", setter: fld_set}]}, - "dns.responsetype": {to:[{field: "dns.answers.type", setter: fld_set}]}, - "dns.resptext": {to:[{field: "dns.answers.name", setter: fld_set}]}, - "dns_querytype": {to:[{field: "dns.question.type", setter: fld_set}]}, - "domain": {to:[{field: "server.domain", setter: fld_prio, prio: 0}]}, - "domain.dst": {to:[{field: "destination.domain", setter: fld_prio, prio: 1}]}, - "domain.src": {to:[{field: "source.domain", setter: fld_prio, prio: 2}]}, - "domain_id": {to:[{field: "user.domain", setter: fld_set}]}, - "domainname": {to:[{field: "server.domain", setter: fld_prio, prio: 1}]}, - "dport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 0}]}, - "dtransaddr": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "dtransport": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 0}]}, - "ec_outcome": {to:[{field: "event.outcome", setter: fld_ecs_outcome}]}, - "event_description": {to:[{field: "message", setter: fld_prio, prio: 0}]}, - "event_time": {convert: to_date, to:[{field: "@timestamp", setter: fld_set}]}, - "event_type": {to:[{field: "event.action", setter: fld_prio, prio: 1}]}, - "extension": {to:[{field: "file.extension", setter: fld_prio, prio: 1}]}, - "file.attributes": {to:[{field: "file.attributes", setter: fld_set}]}, - "filename": {to:[{field: "file.name", setter: fld_prio, prio: 0}]}, - "filename_size": {convert: to_long, to:[{field: "file.size", setter: fld_set}]}, - "filepath": {to:[{field: "file.path", setter: fld_set}]}, - "filetype": {to:[{field: "file.type", setter: fld_set}]}, - "group": {to:[{field: "group.name", setter: fld_set}]}, - "groupid": {to:[{field: "group.id", setter: fld_set}]}, - "host": {to:[{field: "host.name", setter: fld_prio, prio: 1}]}, - "hostip": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "hostip_v6": {convert: to_ip, to:[{field: "host.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "hostname": {to:[{field: "host.name", setter: fld_prio, prio: 0}]}, - "id": {to:[{field: "event.code", setter: fld_prio, prio: 0}]}, - "interface": {to:[{field: "network.interface.name", setter: fld_set}]}, - "ip.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "ip.trans.dst": {convert: to_ip, to:[{field: "destination.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ip.trans.src": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "ipv6.orig": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 2},{field: "related.ip", setter: fld_append}]}, - "latdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lat", setter: fld_set}]}, - "latdec_src": {convert: to_double, to:[{field: "source.geo.location.lat", setter: fld_set}]}, - "location_city": {to:[{field: "geo.city_name", setter: fld_set}]}, - "location_country": {to:[{field: "geo.country_name", setter: fld_set}]}, - "location_desc": {to:[{field: "geo.name", setter: fld_set}]}, - "location_dst": {to:[{field: "destination.geo.country_name", setter: fld_set}]}, - "location_src": {to:[{field: "source.geo.country_name", setter: fld_set}]}, - "location_state": {to:[{field: "geo.region_name", setter: fld_set}]}, - "logon_id": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 5}]}, - "longdec_dst": {convert: to_double, to:[{field: "destination.geo.location.lon", setter: fld_set}]}, - "longdec_src": {convert: to_double, to:[{field: "source.geo.location.lon", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "host.mac", setter: fld_prio, prio: 2}]}, - "messageid": {to:[{field: "event.code", setter: fld_prio, prio: 1}]}, - "method": {to:[{field: "http.request.method", setter: fld_set}]}, - "msg": {to:[{field: "log.original", setter: fld_set}]}, - "orig_ip": {convert: to_ip, to:[{field: "network.forwarded_ip", setter: fld_prio, prio: 1},{field: "related.ip", setter: fld_append}]}, - "owner": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 6}]}, - "packets": {convert: to_long, to:[{field: "network.packets", setter: fld_set}]}, - "parent_pid": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 0}]}, - "parent_pid_val": {to:[{field: "process.parent.title", setter: fld_set}]}, - "parent_process": {to:[{field: "process.parent.name", setter: fld_prio, prio: 0}]}, - "patient_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 1}]}, - "port.dst": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 1}]}, - "port.src": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 1}]}, - "port.trans.dst": {convert: to_long, to:[{field: "destination.nat.port", setter: fld_prio, prio: 1}]}, - "port.trans.src": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 1}]}, - "process": {to:[{field: "process.name", setter: fld_prio, prio: 0}]}, - "process_id": {convert: to_long, to:[{field: "process.pid", setter: fld_prio, prio: 0}]}, - "process_id_src": {convert: to_long, to:[{field: "process.ppid", setter: fld_prio, prio: 1}]}, - "process_src": {to:[{field: "process.parent.name", setter: fld_prio, prio: 1}]}, - "product": {to:[{field: "observer.product", setter: fld_set}]}, - "protocol": {to:[{field: "network.protocol", setter: fld_set}]}, - "query": {to:[{field: "url.query", setter: fld_prio, prio: 2}]}, - "rbytes": {convert: to_long, to:[{field: "destination.bytes", setter: fld_set}]}, - "referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 1}]}, - "rulename": {to:[{field: "rule.name", setter: fld_set}]}, - "saddr": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "saddr_v6": {convert: to_ip, to:[{field: "source.ip", setter: fld_append},{field: "related.ip", setter: fld_append}]}, - "sbytes": {convert: to_long, to:[{field: "source.bytes", setter: fld_set}]}, - "sdomain": {to:[{field: "source.domain", setter: fld_prio, prio: 0}]}, - "service": {to:[{field: "service.name", setter: fld_prio, prio: 1}]}, - "service.name": {to:[{field: "service.name", setter: fld_prio, prio: 0}]}, - "service_account": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 7}]}, - "severity": {to:[{field: "log.level", setter: fld_set}]}, - "shost": {to:[{field: "host.hostname", setter: fld_set},{field: "source.address", setter: fld_set}]}, - "sinterface": {to:[{field: "observer.ingress.interface.name", setter: fld_set}]}, - "sld": {to:[{field: "url.registered_domain", setter: fld_set}]}, - "smacaddr": {convert: to_mac, to:[{field: "source.mac", setter: fld_set}]}, - "sport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 0}]}, - "stransaddr": {convert: to_ip, to:[{field: "source.nat.ip", setter: fld_prio, prio: 0},{field: "related.ip", setter: fld_append}]}, - "stransport": {convert: to_long, to:[{field: "source.nat.port", setter: fld_prio, prio: 0}]}, - "tcp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 2}]}, - "tcp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 2}]}, - "timezone": {to:[{field: "event.timezone", setter: fld_set}]}, - "tld": {to:[{field: "url.top_level_domain", setter: fld_prio, prio: 0}]}, - "udp.dstport": {convert: to_long, to:[{field: "destination.port", setter: fld_prio, prio: 3}]}, - "udp.srcport": {convert: to_long, to:[{field: "source.port", setter: fld_prio, prio: 3}]}, - "uid": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 3}]}, - "url": {to:[{field: "url.original", setter: fld_prio, prio: 1}]}, - "url_raw": {to:[{field: "url.original", setter: fld_prio, prio: 0}]}, - "urldomain": {to:[{field: "url.domain", setter: fld_prio, prio: 0}]}, - "urlquery": {to:[{field: "url.query", setter: fld_prio, prio: 0}]}, - "user": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 0}]}, - "user.id": {to:[{field: "user.id", setter: fld_prio, prio: 1}]}, - "user_agent": {to:[{field: "user_agent.original", setter: fld_set}]}, - "user_fullname": {to:[{field: "user.full_name", setter: fld_prio, prio: 0}]}, - "user_id": {to:[{field: "user.id", setter: fld_prio, prio: 0}]}, - "username": {to:[{field: "related.user", setter: fld_append},{field: "user.name", setter: fld_prio, prio: 1}]}, - "version": {to:[{field: "observer.version", setter: fld_set}]}, - "web_domain": {to:[{field: "url.domain", setter: fld_prio, prio: 1}]}, - "web_extension": {to:[{field: "file.extension", setter: fld_prio, prio: 0}]}, - "web_query": {to:[{field: "url.query", setter: fld_prio, prio: 1}]}, - "web_referer": {to:[{field: "http.request.referrer", setter: fld_prio, prio: 0}]}, - "web_root": {to:[{field: "url.path", setter: fld_set}]}, - "webpage": {to:[{field: "file.name", setter: fld_prio, prio: 1}]}, -}; - -var rsa_mappings = { - "access_point": {to:[{field: "rsa.wireless.access_point", setter: fld_set}]}, - "accesses": {to:[{field: "rsa.identity.accesses", setter: fld_set}]}, - "acl_id": {to:[{field: "rsa.misc.acl_id", setter: fld_set}]}, - "acl_op": {to:[{field: "rsa.misc.acl_op", setter: fld_set}]}, - "acl_pos": {to:[{field: "rsa.misc.acl_pos", setter: fld_set}]}, - "acl_table": {to:[{field: "rsa.misc.acl_table", setter: fld_set}]}, - "action": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "ad_computer_dst": {to:[{field: "rsa.network.ad_computer_dst", setter: fld_set}]}, - "addr": {to:[{field: "rsa.network.addr", setter: fld_set}]}, - "admin": {to:[{field: "rsa.misc.admin", setter: fld_set}]}, - "agent": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 0}]}, - "agent.id": {to:[{field: "rsa.misc.agent_id", setter: fld_set}]}, - "alarm_id": {to:[{field: "rsa.misc.alarm_id", setter: fld_set}]}, - "alarmname": {to:[{field: "rsa.misc.alarmname", setter: fld_set}]}, - "alert": {to:[{field: "rsa.threat.alert", setter: fld_set}]}, - "alert_id": {to:[{field: "rsa.misc.alert_id", setter: fld_set}]}, - "alias.host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "analysis.file": {to:[{field: "rsa.investigations.analysis_file", setter: fld_set}]}, - "analysis.service": {to:[{field: "rsa.investigations.analysis_service", setter: fld_set}]}, - "analysis.session": {to:[{field: "rsa.investigations.analysis_session", setter: fld_set}]}, - "app_id": {to:[{field: "rsa.misc.app_id", setter: fld_set}]}, - "attachment": {to:[{field: "rsa.file.attachment", setter: fld_set}]}, - "audit": {to:[{field: "rsa.misc.audit", setter: fld_set}]}, - "audit_class": {to:[{field: "rsa.internal.audit_class", setter: fld_set}]}, - "audit_object": {to:[{field: "rsa.misc.audit_object", setter: fld_set}]}, - "auditdata": {to:[{field: "rsa.misc.auditdata", setter: fld_set}]}, - "authmethod": {to:[{field: "rsa.identity.auth_method", setter: fld_set}]}, - "autorun_type": {to:[{field: "rsa.misc.autorun_type", setter: fld_set}]}, - "bcc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "benchmark": {to:[{field: "rsa.misc.benchmark", setter: fld_set}]}, - "binary": {to:[{field: "rsa.file.binary", setter: fld_set}]}, - "boc": {to:[{field: "rsa.investigations.boc", setter: fld_set}]}, - "bssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 1}]}, - "bypass": {to:[{field: "rsa.misc.bypass", setter: fld_set}]}, - "c_sid": {to:[{field: "rsa.identity.user_sid_src", setter: fld_set}]}, - "cache": {to:[{field: "rsa.misc.cache", setter: fld_set}]}, - "cache_hit": {to:[{field: "rsa.misc.cache_hit", setter: fld_set}]}, - "calling_from": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 1}]}, - "calling_to": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 0}]}, - "category": {to:[{field: "rsa.misc.category", setter: fld_set}]}, - "cc": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "cc.number": {convert: to_long, to:[{field: "rsa.misc.cc_number", setter: fld_set}]}, - "cefversion": {to:[{field: "rsa.misc.cefversion", setter: fld_set}]}, - "cert.serial": {to:[{field: "rsa.crypto.cert_serial", setter: fld_set}]}, - "cert_ca": {to:[{field: "rsa.crypto.cert_ca", setter: fld_set}]}, - "cert_checksum": {to:[{field: "rsa.crypto.cert_checksum", setter: fld_set}]}, - "cert_common": {to:[{field: "rsa.crypto.cert_common", setter: fld_set}]}, - "cert_error": {to:[{field: "rsa.crypto.cert_error", setter: fld_set}]}, - "cert_hostname": {to:[{field: "rsa.crypto.cert_host_name", setter: fld_set}]}, - "cert_hostname_cat": {to:[{field: "rsa.crypto.cert_host_cat", setter: fld_set}]}, - "cert_issuer": {to:[{field: "rsa.crypto.cert_issuer", setter: fld_set}]}, - "cert_keysize": {to:[{field: "rsa.crypto.cert_keysize", setter: fld_set}]}, - "cert_status": {to:[{field: "rsa.crypto.cert_status", setter: fld_set}]}, - "cert_subject": {to:[{field: "rsa.crypto.cert_subject", setter: fld_set}]}, - "cert_username": {to:[{field: "rsa.crypto.cert_username", setter: fld_set}]}, - "cfg.attr": {to:[{field: "rsa.misc.cfg_attr", setter: fld_set}]}, - "cfg.obj": {to:[{field: "rsa.misc.cfg_obj", setter: fld_set}]}, - "cfg.path": {to:[{field: "rsa.misc.cfg_path", setter: fld_set}]}, - "change_attribute": {to:[{field: "rsa.misc.change_attrib", setter: fld_set}]}, - "change_new": {to:[{field: "rsa.misc.change_new", setter: fld_set}]}, - "change_old": {to:[{field: "rsa.misc.change_old", setter: fld_set}]}, - "changes": {to:[{field: "rsa.misc.changes", setter: fld_set}]}, - "checksum": {to:[{field: "rsa.misc.checksum", setter: fld_set}]}, - "checksum.dst": {to:[{field: "rsa.misc.checksum_dst", setter: fld_set}]}, - "checksum.src": {to:[{field: "rsa.misc.checksum_src", setter: fld_set}]}, - "cid": {to:[{field: "rsa.internal.cid", setter: fld_set}]}, - "client": {to:[{field: "rsa.misc.client", setter: fld_prio, prio: 1}]}, - "client_ip": {to:[{field: "rsa.misc.client_ip", setter: fld_set}]}, - "clustermembers": {to:[{field: "rsa.misc.clustermembers", setter: fld_set}]}, - "cmd": {to:[{field: "rsa.misc.cmd", setter: fld_set}]}, - "cn_acttimeout": {to:[{field: "rsa.misc.cn_acttimeout", setter: fld_set}]}, - "cn_asn_dst": {to:[{field: "rsa.web.cn_asn_dst", setter: fld_set}]}, - "cn_asn_src": {to:[{field: "rsa.misc.cn_asn_src", setter: fld_set}]}, - "cn_bgpv4nxthop": {to:[{field: "rsa.misc.cn_bgpv4nxthop", setter: fld_set}]}, - "cn_ctr_dst_code": {to:[{field: "rsa.misc.cn_ctr_dst_code", setter: fld_set}]}, - "cn_dst_tos": {to:[{field: "rsa.misc.cn_dst_tos", setter: fld_set}]}, - "cn_dst_vlan": {to:[{field: "rsa.misc.cn_dst_vlan", setter: fld_set}]}, - "cn_engine_id": {to:[{field: "rsa.misc.cn_engine_id", setter: fld_set}]}, - "cn_engine_type": {to:[{field: "rsa.misc.cn_engine_type", setter: fld_set}]}, - "cn_f_switch": {to:[{field: "rsa.misc.cn_f_switch", setter: fld_set}]}, - "cn_flowsampid": {to:[{field: "rsa.misc.cn_flowsampid", setter: fld_set}]}, - "cn_flowsampintv": {to:[{field: "rsa.misc.cn_flowsampintv", setter: fld_set}]}, - "cn_flowsampmode": {to:[{field: "rsa.misc.cn_flowsampmode", setter: fld_set}]}, - "cn_inacttimeout": {to:[{field: "rsa.misc.cn_inacttimeout", setter: fld_set}]}, - "cn_inpermbyts": {to:[{field: "rsa.misc.cn_inpermbyts", setter: fld_set}]}, - "cn_inpermpckts": {to:[{field: "rsa.misc.cn_inpermpckts", setter: fld_set}]}, - "cn_invalid": {to:[{field: "rsa.misc.cn_invalid", setter: fld_set}]}, - "cn_ip_proto_ver": {to:[{field: "rsa.misc.cn_ip_proto_ver", setter: fld_set}]}, - "cn_ipv4_ident": {to:[{field: "rsa.misc.cn_ipv4_ident", setter: fld_set}]}, - "cn_l_switch": {to:[{field: "rsa.misc.cn_l_switch", setter: fld_set}]}, - "cn_log_did": {to:[{field: "rsa.misc.cn_log_did", setter: fld_set}]}, - "cn_log_rid": {to:[{field: "rsa.misc.cn_log_rid", setter: fld_set}]}, - "cn_max_ttl": {to:[{field: "rsa.misc.cn_max_ttl", setter: fld_set}]}, - "cn_maxpcktlen": {to:[{field: "rsa.misc.cn_maxpcktlen", setter: fld_set}]}, - "cn_min_ttl": {to:[{field: "rsa.misc.cn_min_ttl", setter: fld_set}]}, - "cn_minpcktlen": {to:[{field: "rsa.misc.cn_minpcktlen", setter: fld_set}]}, - "cn_mpls_lbl_1": {to:[{field: "rsa.misc.cn_mpls_lbl_1", setter: fld_set}]}, - "cn_mpls_lbl_10": {to:[{field: "rsa.misc.cn_mpls_lbl_10", setter: fld_set}]}, - "cn_mpls_lbl_2": {to:[{field: "rsa.misc.cn_mpls_lbl_2", setter: fld_set}]}, - "cn_mpls_lbl_3": {to:[{field: "rsa.misc.cn_mpls_lbl_3", setter: fld_set}]}, - "cn_mpls_lbl_4": {to:[{field: "rsa.misc.cn_mpls_lbl_4", setter: fld_set}]}, - "cn_mpls_lbl_5": {to:[{field: "rsa.misc.cn_mpls_lbl_5", setter: fld_set}]}, - "cn_mpls_lbl_6": {to:[{field: "rsa.misc.cn_mpls_lbl_6", setter: fld_set}]}, - "cn_mpls_lbl_7": {to:[{field: "rsa.misc.cn_mpls_lbl_7", setter: fld_set}]}, - "cn_mpls_lbl_8": {to:[{field: "rsa.misc.cn_mpls_lbl_8", setter: fld_set}]}, - "cn_mpls_lbl_9": {to:[{field: "rsa.misc.cn_mpls_lbl_9", setter: fld_set}]}, - "cn_mplstoplabel": {to:[{field: "rsa.misc.cn_mplstoplabel", setter: fld_set}]}, - "cn_mplstoplabip": {to:[{field: "rsa.misc.cn_mplstoplabip", setter: fld_set}]}, - "cn_mul_dst_byt": {to:[{field: "rsa.misc.cn_mul_dst_byt", setter: fld_set}]}, - "cn_mul_dst_pks": {to:[{field: "rsa.misc.cn_mul_dst_pks", setter: fld_set}]}, - "cn_muligmptype": {to:[{field: "rsa.misc.cn_muligmptype", setter: fld_set}]}, - "cn_rpackets": {to:[{field: "rsa.web.cn_rpackets", setter: fld_set}]}, - "cn_sampalgo": {to:[{field: "rsa.misc.cn_sampalgo", setter: fld_set}]}, - "cn_sampint": {to:[{field: "rsa.misc.cn_sampint", setter: fld_set}]}, - "cn_seqctr": {to:[{field: "rsa.misc.cn_seqctr", setter: fld_set}]}, - "cn_spackets": {to:[{field: "rsa.misc.cn_spackets", setter: fld_set}]}, - "cn_src_tos": {to:[{field: "rsa.misc.cn_src_tos", setter: fld_set}]}, - "cn_src_vlan": {to:[{field: "rsa.misc.cn_src_vlan", setter: fld_set}]}, - "cn_sysuptime": {to:[{field: "rsa.misc.cn_sysuptime", setter: fld_set}]}, - "cn_template_id": {to:[{field: "rsa.misc.cn_template_id", setter: fld_set}]}, - "cn_totbytsexp": {to:[{field: "rsa.misc.cn_totbytsexp", setter: fld_set}]}, - "cn_totflowexp": {to:[{field: "rsa.misc.cn_totflowexp", setter: fld_set}]}, - "cn_totpcktsexp": {to:[{field: "rsa.misc.cn_totpcktsexp", setter: fld_set}]}, - "cn_unixnanosecs": {to:[{field: "rsa.misc.cn_unixnanosecs", setter: fld_set}]}, - "cn_v6flowlabel": {to:[{field: "rsa.misc.cn_v6flowlabel", setter: fld_set}]}, - "cn_v6optheaders": {to:[{field: "rsa.misc.cn_v6optheaders", setter: fld_set}]}, - "code": {to:[{field: "rsa.misc.code", setter: fld_set}]}, - "command": {to:[{field: "rsa.misc.command", setter: fld_set}]}, - "comments": {to:[{field: "rsa.misc.comments", setter: fld_set}]}, - "comp_class": {to:[{field: "rsa.misc.comp_class", setter: fld_set}]}, - "comp_name": {to:[{field: "rsa.misc.comp_name", setter: fld_set}]}, - "comp_rbytes": {to:[{field: "rsa.misc.comp_rbytes", setter: fld_set}]}, - "comp_sbytes": {to:[{field: "rsa.misc.comp_sbytes", setter: fld_set}]}, - "component_version": {to:[{field: "rsa.misc.comp_version", setter: fld_set}]}, - "connection_id": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 1}]}, - "connectionid": {to:[{field: "rsa.misc.connection_id", setter: fld_prio, prio: 0}]}, - "content": {to:[{field: "rsa.misc.content", setter: fld_set}]}, - "content_type": {to:[{field: "rsa.misc.content_type", setter: fld_set}]}, - "content_version": {to:[{field: "rsa.misc.content_version", setter: fld_set}]}, - "context": {to:[{field: "rsa.misc.context", setter: fld_set}]}, - "count": {to:[{field: "rsa.misc.count", setter: fld_set}]}, - "cpu": {convert: to_long, to:[{field: "rsa.misc.cpu", setter: fld_set}]}, - "cpu_data": {to:[{field: "rsa.misc.cpu_data", setter: fld_set}]}, - "criticality": {to:[{field: "rsa.misc.criticality", setter: fld_set}]}, - "cs_agency_dst": {to:[{field: "rsa.misc.cs_agency_dst", setter: fld_set}]}, - "cs_analyzedby": {to:[{field: "rsa.misc.cs_analyzedby", setter: fld_set}]}, - "cs_av_other": {to:[{field: "rsa.misc.cs_av_other", setter: fld_set}]}, - "cs_av_primary": {to:[{field: "rsa.misc.cs_av_primary", setter: fld_set}]}, - "cs_av_secondary": {to:[{field: "rsa.misc.cs_av_secondary", setter: fld_set}]}, - "cs_bgpv6nxthop": {to:[{field: "rsa.misc.cs_bgpv6nxthop", setter: fld_set}]}, - "cs_bit9status": {to:[{field: "rsa.misc.cs_bit9status", setter: fld_set}]}, - "cs_context": {to:[{field: "rsa.misc.cs_context", setter: fld_set}]}, - "cs_control": {to:[{field: "rsa.misc.cs_control", setter: fld_set}]}, - "cs_data": {to:[{field: "rsa.misc.cs_data", setter: fld_set}]}, - "cs_datecret": {to:[{field: "rsa.misc.cs_datecret", setter: fld_set}]}, - "cs_dst_tld": {to:[{field: "rsa.misc.cs_dst_tld", setter: fld_set}]}, - "cs_eth_dst_ven": {to:[{field: "rsa.misc.cs_eth_dst_ven", setter: fld_set}]}, - "cs_eth_src_ven": {to:[{field: "rsa.misc.cs_eth_src_ven", setter: fld_set}]}, - "cs_event_uuid": {to:[{field: "rsa.misc.cs_event_uuid", setter: fld_set}]}, - "cs_filetype": {to:[{field: "rsa.misc.cs_filetype", setter: fld_set}]}, - "cs_fld": {to:[{field: "rsa.misc.cs_fld", setter: fld_set}]}, - "cs_if_desc": {to:[{field: "rsa.misc.cs_if_desc", setter: fld_set}]}, - "cs_if_name": {to:[{field: "rsa.misc.cs_if_name", setter: fld_set}]}, - "cs_ip_next_hop": {to:[{field: "rsa.misc.cs_ip_next_hop", setter: fld_set}]}, - "cs_ipv4dstpre": {to:[{field: "rsa.misc.cs_ipv4dstpre", setter: fld_set}]}, - "cs_ipv4srcpre": {to:[{field: "rsa.misc.cs_ipv4srcpre", setter: fld_set}]}, - "cs_lifetime": {to:[{field: "rsa.misc.cs_lifetime", setter: fld_set}]}, - "cs_log_medium": {to:[{field: "rsa.misc.cs_log_medium", setter: fld_set}]}, - "cs_loginname": {to:[{field: "rsa.misc.cs_loginname", setter: fld_set}]}, - "cs_modulescore": {to:[{field: "rsa.misc.cs_modulescore", setter: fld_set}]}, - "cs_modulesign": {to:[{field: "rsa.misc.cs_modulesign", setter: fld_set}]}, - "cs_opswatresult": {to:[{field: "rsa.misc.cs_opswatresult", setter: fld_set}]}, - "cs_payload": {to:[{field: "rsa.misc.cs_payload", setter: fld_set}]}, - "cs_registrant": {to:[{field: "rsa.misc.cs_registrant", setter: fld_set}]}, - "cs_registrar": {to:[{field: "rsa.misc.cs_registrar", setter: fld_set}]}, - "cs_represult": {to:[{field: "rsa.misc.cs_represult", setter: fld_set}]}, - "cs_rpayload": {to:[{field: "rsa.misc.cs_rpayload", setter: fld_set}]}, - "cs_sampler_name": {to:[{field: "rsa.misc.cs_sampler_name", setter: fld_set}]}, - "cs_sourcemodule": {to:[{field: "rsa.misc.cs_sourcemodule", setter: fld_set}]}, - "cs_streams": {to:[{field: "rsa.misc.cs_streams", setter: fld_set}]}, - "cs_targetmodule": {to:[{field: "rsa.misc.cs_targetmodule", setter: fld_set}]}, - "cs_v6nxthop": {to:[{field: "rsa.misc.cs_v6nxthop", setter: fld_set}]}, - "cs_whois_server": {to:[{field: "rsa.misc.cs_whois_server", setter: fld_set}]}, - "cs_yararesult": {to:[{field: "rsa.misc.cs_yararesult", setter: fld_set}]}, - "cve": {to:[{field: "rsa.misc.cve", setter: fld_set}]}, - "d_certauth": {to:[{field: "rsa.crypto.d_certauth", setter: fld_set}]}, - "d_cipher": {to:[{field: "rsa.crypto.cipher_dst", setter: fld_set}]}, - "d_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_dst", setter: fld_set}]}, - "d_sslver": {to:[{field: "rsa.crypto.ssl_ver_dst", setter: fld_set}]}, - "data": {to:[{field: "rsa.internal.data", setter: fld_set}]}, - "data_type": {to:[{field: "rsa.misc.data_type", setter: fld_set}]}, - "date": {to:[{field: "rsa.time.date", setter: fld_set}]}, - "datetime": {to:[{field: "rsa.time.datetime", setter: fld_set}]}, - "day": {to:[{field: "rsa.time.day", setter: fld_set}]}, - "db_id": {to:[{field: "rsa.db.db_id", setter: fld_set}]}, - "db_name": {to:[{field: "rsa.db.database", setter: fld_set}]}, - "db_pid": {convert: to_long, to:[{field: "rsa.db.db_pid", setter: fld_set}]}, - "dclass_counter1": {convert: to_long, to:[{field: "rsa.counters.dclass_c1", setter: fld_set}]}, - "dclass_counter1_string": {to:[{field: "rsa.counters.dclass_c1_str", setter: fld_set}]}, - "dclass_counter2": {convert: to_long, to:[{field: "rsa.counters.dclass_c2", setter: fld_set}]}, - "dclass_counter2_string": {to:[{field: "rsa.counters.dclass_c2_str", setter: fld_set}]}, - "dclass_counter3": {convert: to_long, to:[{field: "rsa.counters.dclass_c3", setter: fld_set}]}, - "dclass_counter3_string": {to:[{field: "rsa.counters.dclass_c3_str", setter: fld_set}]}, - "dclass_ratio1": {to:[{field: "rsa.counters.dclass_r1", setter: fld_set}]}, - "dclass_ratio1_string": {to:[{field: "rsa.counters.dclass_r1_str", setter: fld_set}]}, - "dclass_ratio2": {to:[{field: "rsa.counters.dclass_r2", setter: fld_set}]}, - "dclass_ratio2_string": {to:[{field: "rsa.counters.dclass_r2_str", setter: fld_set}]}, - "dclass_ratio3": {to:[{field: "rsa.counters.dclass_r3", setter: fld_set}]}, - "dclass_ratio3_string": {to:[{field: "rsa.counters.dclass_r3_str", setter: fld_set}]}, - "dead": {convert: to_long, to:[{field: "rsa.internal.dead", setter: fld_set}]}, - "description": {to:[{field: "rsa.misc.description", setter: fld_set}]}, - "detail": {to:[{field: "rsa.misc.event_desc", setter: fld_set}]}, - "device": {to:[{field: "rsa.misc.device_name", setter: fld_set}]}, - "device.class": {to:[{field: "rsa.internal.device_class", setter: fld_set}]}, - "device.group": {to:[{field: "rsa.internal.device_group", setter: fld_set}]}, - "device.host": {to:[{field: "rsa.internal.device_host", setter: fld_set}]}, - "device.ip": {convert: to_ip, to:[{field: "rsa.internal.device_ip", setter: fld_set}]}, - "device.ipv6": {convert: to_ip, to:[{field: "rsa.internal.device_ipv6", setter: fld_set}]}, - "device.type": {to:[{field: "rsa.internal.device_type", setter: fld_set}]}, - "device.type.id": {convert: to_long, to:[{field: "rsa.internal.device_type_id", setter: fld_set}]}, - "devicehostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "devvendor": {to:[{field: "rsa.misc.devvendor", setter: fld_set}]}, - "dhost": {to:[{field: "rsa.network.host_dst", setter: fld_set}]}, - "did": {to:[{field: "rsa.internal.did", setter: fld_set}]}, - "dinterface": {to:[{field: "rsa.network.dinterface", setter: fld_set}]}, - "directory.dst": {to:[{field: "rsa.file.directory_dst", setter: fld_set}]}, - "directory.src": {to:[{field: "rsa.file.directory_src", setter: fld_set}]}, - "disk_volume": {to:[{field: "rsa.storage.disk_volume", setter: fld_set}]}, - "disposition": {to:[{field: "rsa.misc.disposition", setter: fld_set}]}, - "distance": {to:[{field: "rsa.misc.distance", setter: fld_set}]}, - "dmask": {to:[{field: "rsa.network.dmask", setter: fld_set}]}, - "dn": {to:[{field: "rsa.identity.dn", setter: fld_set}]}, - "dns_a_record": {to:[{field: "rsa.network.dns_a_record", setter: fld_set}]}, - "dns_cname_record": {to:[{field: "rsa.network.dns_cname_record", setter: fld_set}]}, - "dns_id": {to:[{field: "rsa.network.dns_id", setter: fld_set}]}, - "dns_opcode": {to:[{field: "rsa.network.dns_opcode", setter: fld_set}]}, - "dns_ptr_record": {to:[{field: "rsa.network.dns_ptr_record", setter: fld_set}]}, - "dns_resp": {to:[{field: "rsa.network.dns_resp", setter: fld_set}]}, - "dns_type": {to:[{field: "rsa.network.dns_type", setter: fld_set}]}, - "doc_number": {convert: to_long, to:[{field: "rsa.misc.doc_number", setter: fld_set}]}, - "domain": {to:[{field: "rsa.network.domain", setter: fld_set}]}, - "domain1": {to:[{field: "rsa.network.domain1", setter: fld_set}]}, - "dst_dn": {to:[{field: "rsa.identity.dn_dst", setter: fld_set}]}, - "dst_payload": {to:[{field: "rsa.misc.payload_dst", setter: fld_set}]}, - "dst_spi": {to:[{field: "rsa.misc.spi_dst", setter: fld_set}]}, - "dst_zone": {to:[{field: "rsa.network.zone_dst", setter: fld_set}]}, - "dstburb": {to:[{field: "rsa.misc.dstburb", setter: fld_set}]}, - "duration": {convert: to_double, to:[{field: "rsa.time.duration_time", setter: fld_set}]}, - "duration_string": {to:[{field: "rsa.time.duration_str", setter: fld_set}]}, - "ec_activity": {to:[{field: "rsa.investigations.ec_activity", setter: fld_set}]}, - "ec_outcome": {to:[{field: "rsa.investigations.ec_outcome", setter: fld_set}]}, - "ec_subject": {to:[{field: "rsa.investigations.ec_subject", setter: fld_set}]}, - "ec_theme": {to:[{field: "rsa.investigations.ec_theme", setter: fld_set}]}, - "edomain": {to:[{field: "rsa.misc.edomain", setter: fld_set}]}, - "edomaub": {to:[{field: "rsa.misc.edomaub", setter: fld_set}]}, - "effective_time": {convert: to_date, to:[{field: "rsa.time.effective_time", setter: fld_set}]}, - "ein.number": {convert: to_long, to:[{field: "rsa.misc.ein_number", setter: fld_set}]}, - "email": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "encryption_type": {to:[{field: "rsa.crypto.crypto", setter: fld_set}]}, - "endtime": {convert: to_date, to:[{field: "rsa.time.endtime", setter: fld_set}]}, - "entropy.req": {convert: to_long, to:[{field: "rsa.internal.entropy_req", setter: fld_set}]}, - "entropy.res": {convert: to_long, to:[{field: "rsa.internal.entropy_res", setter: fld_set}]}, - "entry": {to:[{field: "rsa.internal.entry", setter: fld_set}]}, - "eoc": {to:[{field: "rsa.investigations.eoc", setter: fld_set}]}, - "error": {to:[{field: "rsa.misc.error", setter: fld_set}]}, - "eth_type": {convert: to_long, to:[{field: "rsa.network.eth_type", setter: fld_set}]}, - "euid": {to:[{field: "rsa.misc.euid", setter: fld_set}]}, - "event.cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 1}]}, - "event.cat.name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 1}]}, - "event_cat": {convert: to_long, to:[{field: "rsa.investigations.event_cat", setter: fld_prio, prio: 0}]}, - "event_cat_name": {to:[{field: "rsa.investigations.event_cat_name", setter: fld_prio, prio: 0}]}, - "event_category": {to:[{field: "rsa.misc.event_category", setter: fld_set}]}, - "event_computer": {to:[{field: "rsa.misc.event_computer", setter: fld_set}]}, - "event_counter": {convert: to_long, to:[{field: "rsa.counters.event_counter", setter: fld_set}]}, - "event_description": {to:[{field: "rsa.internal.event_desc", setter: fld_set}]}, - "event_id": {to:[{field: "rsa.misc.event_id", setter: fld_set}]}, - "event_log": {to:[{field: "rsa.misc.event_log", setter: fld_set}]}, - "event_name": {to:[{field: "rsa.internal.event_name", setter: fld_set}]}, - "event_queue_time": {convert: to_date, to:[{field: "rsa.time.event_queue_time", setter: fld_set}]}, - "event_source": {to:[{field: "rsa.misc.event_source", setter: fld_set}]}, - "event_state": {to:[{field: "rsa.misc.event_state", setter: fld_set}]}, - "event_time": {convert: to_date, to:[{field: "rsa.time.event_time", setter: fld_set}]}, - "event_time_str": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 1}]}, - "event_time_string": {to:[{field: "rsa.time.event_time_str", setter: fld_prio, prio: 0}]}, - "event_type": {to:[{field: "rsa.misc.event_type", setter: fld_set}]}, - "event_user": {to:[{field: "rsa.misc.event_user", setter: fld_set}]}, - "eventtime": {to:[{field: "rsa.time.eventtime", setter: fld_set}]}, - "expected_val": {to:[{field: "rsa.misc.expected_val", setter: fld_set}]}, - "expiration_time": {convert: to_date, to:[{field: "rsa.time.expire_time", setter: fld_set}]}, - "expiration_time_string": {to:[{field: "rsa.time.expire_time_str", setter: fld_set}]}, - "facility": {to:[{field: "rsa.misc.facility", setter: fld_set}]}, - "facilityname": {to:[{field: "rsa.misc.facilityname", setter: fld_set}]}, - "faddr": {to:[{field: "rsa.network.faddr", setter: fld_set}]}, - "fcatnum": {to:[{field: "rsa.misc.fcatnum", setter: fld_set}]}, - "federated_idp": {to:[{field: "rsa.identity.federated_idp", setter: fld_set}]}, - "federated_sp": {to:[{field: "rsa.identity.federated_sp", setter: fld_set}]}, - "feed.category": {to:[{field: "rsa.internal.feed_category", setter: fld_set}]}, - "feed_desc": {to:[{field: "rsa.internal.feed_desc", setter: fld_set}]}, - "feed_name": {to:[{field: "rsa.internal.feed_name", setter: fld_set}]}, - "fhost": {to:[{field: "rsa.network.fhost", setter: fld_set}]}, - "file_entropy": {convert: to_double, to:[{field: "rsa.file.file_entropy", setter: fld_set}]}, - "file_vendor": {to:[{field: "rsa.file.file_vendor", setter: fld_set}]}, - "filename_dst": {to:[{field: "rsa.file.filename_dst", setter: fld_set}]}, - "filename_src": {to:[{field: "rsa.file.filename_src", setter: fld_set}]}, - "filename_tmp": {to:[{field: "rsa.file.filename_tmp", setter: fld_set}]}, - "filesystem": {to:[{field: "rsa.file.filesystem", setter: fld_set}]}, - "filter": {to:[{field: "rsa.misc.filter", setter: fld_set}]}, - "finterface": {to:[{field: "rsa.misc.finterface", setter: fld_set}]}, - "flags": {to:[{field: "rsa.misc.flags", setter: fld_set}]}, - "forensic_info": {to:[{field: "rsa.misc.forensic_info", setter: fld_set}]}, - "forward.ip": {convert: to_ip, to:[{field: "rsa.internal.forward_ip", setter: fld_set}]}, - "forward.ipv6": {convert: to_ip, to:[{field: "rsa.internal.forward_ipv6", setter: fld_set}]}, - "found": {to:[{field: "rsa.misc.found", setter: fld_set}]}, - "fport": {to:[{field: "rsa.network.fport", setter: fld_set}]}, - "fqdn": {to:[{field: "rsa.web.fqdn", setter: fld_set}]}, - "fresult": {convert: to_long, to:[{field: "rsa.misc.fresult", setter: fld_set}]}, - "from": {to:[{field: "rsa.email.email_src", setter: fld_set}]}, - "gaddr": {to:[{field: "rsa.misc.gaddr", setter: fld_set}]}, - "gateway": {to:[{field: "rsa.network.gateway", setter: fld_set}]}, - "gmtdate": {to:[{field: "rsa.time.gmtdate", setter: fld_set}]}, - "gmttime": {to:[{field: "rsa.time.gmttime", setter: fld_set}]}, - "group": {to:[{field: "rsa.misc.group", setter: fld_set}]}, - "group_object": {to:[{field: "rsa.misc.group_object", setter: fld_set}]}, - "groupid": {to:[{field: "rsa.misc.group_id", setter: fld_set}]}, - "h_code": {to:[{field: "rsa.internal.hcode", setter: fld_set}]}, - "hardware_id": {to:[{field: "rsa.misc.hardware_id", setter: fld_set}]}, - "header.id": {to:[{field: "rsa.internal.header_id", setter: fld_set}]}, - "host.orig": {to:[{field: "rsa.network.host_orig", setter: fld_set}]}, - "host.state": {to:[{field: "rsa.endpoint.host_state", setter: fld_set}]}, - "host.type": {to:[{field: "rsa.network.host_type", setter: fld_set}]}, - "host_role": {to:[{field: "rsa.identity.host_role", setter: fld_set}]}, - "hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hostname": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "hour": {to:[{field: "rsa.time.hour", setter: fld_set}]}, - "https.insact": {to:[{field: "rsa.crypto.https_insact", setter: fld_set}]}, - "https.valid": {to:[{field: "rsa.crypto.https_valid", setter: fld_set}]}, - "icmpcode": {convert: to_long, to:[{field: "rsa.network.icmp_code", setter: fld_set}]}, - "icmptype": {convert: to_long, to:[{field: "rsa.network.icmp_type", setter: fld_set}]}, - "id": {to:[{field: "rsa.misc.reference_id", setter: fld_set}]}, - "id1": {to:[{field: "rsa.misc.reference_id1", setter: fld_set}]}, - "id2": {to:[{field: "rsa.misc.reference_id2", setter: fld_set}]}, - "id3": {to:[{field: "rsa.misc.id3", setter: fld_set}]}, - "ike": {to:[{field: "rsa.crypto.ike", setter: fld_set}]}, - "ike_cookie1": {to:[{field: "rsa.crypto.ike_cookie1", setter: fld_set}]}, - "ike_cookie2": {to:[{field: "rsa.crypto.ike_cookie2", setter: fld_set}]}, - "im_buddyid": {to:[{field: "rsa.misc.im_buddyid", setter: fld_set}]}, - "im_buddyname": {to:[{field: "rsa.misc.im_buddyname", setter: fld_set}]}, - "im_client": {to:[{field: "rsa.misc.im_client", setter: fld_set}]}, - "im_croomid": {to:[{field: "rsa.misc.im_croomid", setter: fld_set}]}, - "im_croomtype": {to:[{field: "rsa.misc.im_croomtype", setter: fld_set}]}, - "im_members": {to:[{field: "rsa.misc.im_members", setter: fld_set}]}, - "im_userid": {to:[{field: "rsa.misc.im_userid", setter: fld_set}]}, - "im_username": {to:[{field: "rsa.misc.im_username", setter: fld_set}]}, - "index": {to:[{field: "rsa.misc.index", setter: fld_set}]}, - "info": {to:[{field: "rsa.db.index", setter: fld_set}]}, - "inode": {convert: to_long, to:[{field: "rsa.internal.inode", setter: fld_set}]}, - "inout": {to:[{field: "rsa.misc.inout", setter: fld_set}]}, - "instance": {to:[{field: "rsa.db.instance", setter: fld_set}]}, - "interface": {to:[{field: "rsa.network.interface", setter: fld_set}]}, - "inv.category": {to:[{field: "rsa.investigations.inv_category", setter: fld_set}]}, - "inv.context": {to:[{field: "rsa.investigations.inv_context", setter: fld_set}]}, - "ioc": {to:[{field: "rsa.investigations.ioc", setter: fld_set}]}, - "ip_proto": {convert: to_long, to:[{field: "rsa.network.ip_proto", setter: fld_set}]}, - "ipkt": {to:[{field: "rsa.misc.ipkt", setter: fld_set}]}, - "ipscat": {to:[{field: "rsa.misc.ipscat", setter: fld_set}]}, - "ipspri": {to:[{field: "rsa.misc.ipspri", setter: fld_set}]}, - "jobname": {to:[{field: "rsa.misc.jobname", setter: fld_set}]}, - "jobnum": {to:[{field: "rsa.misc.job_num", setter: fld_set}]}, - "laddr": {to:[{field: "rsa.network.laddr", setter: fld_set}]}, - "language": {to:[{field: "rsa.misc.language", setter: fld_set}]}, - "latitude": {to:[{field: "rsa.misc.latitude", setter: fld_set}]}, - "lc.cid": {to:[{field: "rsa.internal.lc_cid", setter: fld_set}]}, - "lc.ctime": {convert: to_date, to:[{field: "rsa.internal.lc_ctime", setter: fld_set}]}, - "ldap": {to:[{field: "rsa.identity.ldap", setter: fld_set}]}, - "ldap.query": {to:[{field: "rsa.identity.ldap_query", setter: fld_set}]}, - "ldap.response": {to:[{field: "rsa.identity.ldap_response", setter: fld_set}]}, - "level": {convert: to_long, to:[{field: "rsa.internal.level", setter: fld_set}]}, - "lhost": {to:[{field: "rsa.network.lhost", setter: fld_set}]}, - "library": {to:[{field: "rsa.misc.library", setter: fld_set}]}, - "lifetime": {convert: to_long, to:[{field: "rsa.misc.lifetime", setter: fld_set}]}, - "linenum": {to:[{field: "rsa.misc.linenum", setter: fld_set}]}, - "link": {to:[{field: "rsa.misc.link", setter: fld_set}]}, - "linterface": {to:[{field: "rsa.network.linterface", setter: fld_set}]}, - "list_name": {to:[{field: "rsa.misc.list_name", setter: fld_set}]}, - "listnum": {to:[{field: "rsa.misc.listnum", setter: fld_set}]}, - "load_data": {to:[{field: "rsa.misc.load_data", setter: fld_set}]}, - "location_floor": {to:[{field: "rsa.misc.location_floor", setter: fld_set}]}, - "location_mark": {to:[{field: "rsa.misc.location_mark", setter: fld_set}]}, - "log_id": {to:[{field: "rsa.misc.log_id", setter: fld_set}]}, - "log_type": {to:[{field: "rsa.misc.log_type", setter: fld_set}]}, - "logid": {to:[{field: "rsa.misc.logid", setter: fld_set}]}, - "logip": {to:[{field: "rsa.misc.logip", setter: fld_set}]}, - "logname": {to:[{field: "rsa.misc.logname", setter: fld_set}]}, - "logon_type": {to:[{field: "rsa.identity.logon_type", setter: fld_set}]}, - "logon_type_desc": {to:[{field: "rsa.identity.logon_type_desc", setter: fld_set}]}, - "longitude": {to:[{field: "rsa.misc.longitude", setter: fld_set}]}, - "lport": {to:[{field: "rsa.misc.lport", setter: fld_set}]}, - "lread": {convert: to_long, to:[{field: "rsa.db.lread", setter: fld_set}]}, - "lun": {to:[{field: "rsa.storage.lun", setter: fld_set}]}, - "lwrite": {convert: to_long, to:[{field: "rsa.db.lwrite", setter: fld_set}]}, - "macaddr": {convert: to_mac, to:[{field: "rsa.network.eth_host", setter: fld_set}]}, - "mail_id": {to:[{field: "rsa.misc.mail_id", setter: fld_set}]}, - "mask": {to:[{field: "rsa.network.mask", setter: fld_set}]}, - "match": {to:[{field: "rsa.misc.match", setter: fld_set}]}, - "mbug_data": {to:[{field: "rsa.misc.mbug_data", setter: fld_set}]}, - "mcb.req": {convert: to_long, to:[{field: "rsa.internal.mcb_req", setter: fld_set}]}, - "mcb.res": {convert: to_long, to:[{field: "rsa.internal.mcb_res", setter: fld_set}]}, - "mcbc.req": {convert: to_long, to:[{field: "rsa.internal.mcbc_req", setter: fld_set}]}, - "mcbc.res": {convert: to_long, to:[{field: "rsa.internal.mcbc_res", setter: fld_set}]}, - "medium": {convert: to_long, to:[{field: "rsa.internal.medium", setter: fld_set}]}, - "message": {to:[{field: "rsa.internal.message", setter: fld_set}]}, - "message_body": {to:[{field: "rsa.misc.message_body", setter: fld_set}]}, - "messageid": {to:[{field: "rsa.internal.messageid", setter: fld_set}]}, - "min": {to:[{field: "rsa.time.min", setter: fld_set}]}, - "misc": {to:[{field: "rsa.misc.misc", setter: fld_set}]}, - "misc_name": {to:[{field: "rsa.misc.misc_name", setter: fld_set}]}, - "mode": {to:[{field: "rsa.misc.mode", setter: fld_set}]}, - "month": {to:[{field: "rsa.time.month", setter: fld_set}]}, - "msg": {to:[{field: "rsa.internal.msg", setter: fld_set}]}, - "msgIdPart1": {to:[{field: "rsa.misc.msgIdPart1", setter: fld_set}]}, - "msgIdPart2": {to:[{field: "rsa.misc.msgIdPart2", setter: fld_set}]}, - "msgIdPart3": {to:[{field: "rsa.misc.msgIdPart3", setter: fld_set}]}, - "msgIdPart4": {to:[{field: "rsa.misc.msgIdPart4", setter: fld_set}]}, - "msg_id": {to:[{field: "rsa.internal.msg_id", setter: fld_set}]}, - "msg_type": {to:[{field: "rsa.misc.msg_type", setter: fld_set}]}, - "msgid": {to:[{field: "rsa.misc.msgid", setter: fld_set}]}, - "name": {to:[{field: "rsa.misc.name", setter: fld_set}]}, - "netname": {to:[{field: "rsa.network.netname", setter: fld_set}]}, - "netsessid": {to:[{field: "rsa.misc.netsessid", setter: fld_set}]}, - "network_port": {convert: to_long, to:[{field: "rsa.network.network_port", setter: fld_set}]}, - "network_service": {to:[{field: "rsa.network.network_service", setter: fld_set}]}, - "node": {to:[{field: "rsa.misc.node", setter: fld_set}]}, - "nodename": {to:[{field: "rsa.internal.node_name", setter: fld_set}]}, - "ntype": {to:[{field: "rsa.misc.ntype", setter: fld_set}]}, - "num": {to:[{field: "rsa.misc.num", setter: fld_set}]}, - "number": {to:[{field: "rsa.misc.number", setter: fld_set}]}, - "number1": {to:[{field: "rsa.misc.number1", setter: fld_set}]}, - "number2": {to:[{field: "rsa.misc.number2", setter: fld_set}]}, - "nwe.callback_id": {to:[{field: "rsa.internal.nwe_callback_id", setter: fld_set}]}, - "nwwn": {to:[{field: "rsa.misc.nwwn", setter: fld_set}]}, - "obj_id": {to:[{field: "rsa.internal.obj_id", setter: fld_set}]}, - "obj_name": {to:[{field: "rsa.misc.obj_name", setter: fld_set}]}, - "obj_server": {to:[{field: "rsa.internal.obj_server", setter: fld_set}]}, - "obj_type": {to:[{field: "rsa.misc.obj_type", setter: fld_set}]}, - "obj_value": {to:[{field: "rsa.internal.obj_val", setter: fld_set}]}, - "object": {to:[{field: "rsa.misc.object", setter: fld_set}]}, - "observed_val": {to:[{field: "rsa.misc.observed_val", setter: fld_set}]}, - "operation": {to:[{field: "rsa.misc.operation", setter: fld_set}]}, - "operation_id": {to:[{field: "rsa.misc.operation_id", setter: fld_set}]}, - "opkt": {to:[{field: "rsa.misc.opkt", setter: fld_set}]}, - "org.dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 1}]}, - "org.src": {to:[{field: "rsa.physical.org_src", setter: fld_set}]}, - "org_dst": {to:[{field: "rsa.physical.org_dst", setter: fld_prio, prio: 0}]}, - "orig_from": {to:[{field: "rsa.misc.orig_from", setter: fld_set}]}, - "origin": {to:[{field: "rsa.network.origin", setter: fld_set}]}, - "original_owner": {to:[{field: "rsa.identity.owner", setter: fld_set}]}, - "os": {to:[{field: "rsa.misc.OS", setter: fld_set}]}, - "owner_id": {to:[{field: "rsa.misc.owner_id", setter: fld_set}]}, - "p_action": {to:[{field: "rsa.misc.p_action", setter: fld_set}]}, - "p_date": {to:[{field: "rsa.time.p_date", setter: fld_set}]}, - "p_filter": {to:[{field: "rsa.misc.p_filter", setter: fld_set}]}, - "p_group_object": {to:[{field: "rsa.misc.p_group_object", setter: fld_set}]}, - "p_id": {to:[{field: "rsa.misc.p_id", setter: fld_set}]}, - "p_month": {to:[{field: "rsa.time.p_month", setter: fld_set}]}, - "p_msgid": {to:[{field: "rsa.misc.p_msgid", setter: fld_set}]}, - "p_msgid1": {to:[{field: "rsa.misc.p_msgid1", setter: fld_set}]}, - "p_msgid2": {to:[{field: "rsa.misc.p_msgid2", setter: fld_set}]}, - "p_result1": {to:[{field: "rsa.misc.p_result1", setter: fld_set}]}, - "p_time": {to:[{field: "rsa.time.p_time", setter: fld_set}]}, - "p_time1": {to:[{field: "rsa.time.p_time1", setter: fld_set}]}, - "p_time2": {to:[{field: "rsa.time.p_time2", setter: fld_set}]}, - "p_url": {to:[{field: "rsa.web.p_url", setter: fld_set}]}, - "p_user_agent": {to:[{field: "rsa.web.p_user_agent", setter: fld_set}]}, - "p_web_cookie": {to:[{field: "rsa.web.p_web_cookie", setter: fld_set}]}, - "p_web_method": {to:[{field: "rsa.web.p_web_method", setter: fld_set}]}, - "p_web_referer": {to:[{field: "rsa.web.p_web_referer", setter: fld_set}]}, - "p_year": {to:[{field: "rsa.time.p_year", setter: fld_set}]}, - "packet_length": {to:[{field: "rsa.network.packet_length", setter: fld_set}]}, - "paddr": {convert: to_ip, to:[{field: "rsa.network.paddr", setter: fld_set}]}, - "param": {to:[{field: "rsa.misc.param", setter: fld_set}]}, - "param.dst": {to:[{field: "rsa.misc.param_dst", setter: fld_set}]}, - "param.src": {to:[{field: "rsa.misc.param_src", setter: fld_set}]}, - "parent_node": {to:[{field: "rsa.misc.parent_node", setter: fld_set}]}, - "parse.error": {to:[{field: "rsa.internal.parse_error", setter: fld_set}]}, - "password": {to:[{field: "rsa.identity.password", setter: fld_set}]}, - "password_chg": {to:[{field: "rsa.misc.password_chg", setter: fld_set}]}, - "password_expire": {to:[{field: "rsa.misc.password_expire", setter: fld_set}]}, - "patient_fname": {to:[{field: "rsa.healthcare.patient_fname", setter: fld_set}]}, - "patient_id": {to:[{field: "rsa.healthcare.patient_id", setter: fld_set}]}, - "patient_lname": {to:[{field: "rsa.healthcare.patient_lname", setter: fld_set}]}, - "patient_mname": {to:[{field: "rsa.healthcare.patient_mname", setter: fld_set}]}, - "payload.req": {convert: to_long, to:[{field: "rsa.internal.payload_req", setter: fld_set}]}, - "payload.res": {convert: to_long, to:[{field: "rsa.internal.payload_res", setter: fld_set}]}, - "peer": {to:[{field: "rsa.crypto.peer", setter: fld_set}]}, - "peer_id": {to:[{field: "rsa.crypto.peer_id", setter: fld_set}]}, - "permgranted": {to:[{field: "rsa.misc.permgranted", setter: fld_set}]}, - "permissions": {to:[{field: "rsa.db.permissions", setter: fld_set}]}, - "permwanted": {to:[{field: "rsa.misc.permwanted", setter: fld_set}]}, - "pgid": {to:[{field: "rsa.misc.pgid", setter: fld_set}]}, - "phone_number": {to:[{field: "rsa.misc.phone", setter: fld_prio, prio: 2}]}, - "phost": {to:[{field: "rsa.network.phost", setter: fld_set}]}, - "pid": {to:[{field: "rsa.misc.pid", setter: fld_set}]}, - "policy": {to:[{field: "rsa.misc.policy", setter: fld_set}]}, - "policyUUID": {to:[{field: "rsa.misc.policyUUID", setter: fld_set}]}, - "policy_id": {to:[{field: "rsa.misc.policy_id", setter: fld_set}]}, - "policy_value": {to:[{field: "rsa.misc.policy_value", setter: fld_set}]}, - "policy_waiver": {to:[{field: "rsa.misc.policy_waiver", setter: fld_set}]}, - "policyname": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 0}]}, - "pool_id": {to:[{field: "rsa.misc.pool_id", setter: fld_set}]}, - "pool_name": {to:[{field: "rsa.misc.pool_name", setter: fld_set}]}, - "port": {convert: to_long, to:[{field: "rsa.network.port", setter: fld_set}]}, - "portname": {to:[{field: "rsa.misc.port_name", setter: fld_set}]}, - "pread": {convert: to_long, to:[{field: "rsa.db.pread", setter: fld_set}]}, - "priority": {to:[{field: "rsa.misc.priority", setter: fld_set}]}, - "privilege": {to:[{field: "rsa.file.privilege", setter: fld_set}]}, - "process.vid.dst": {to:[{field: "rsa.internal.process_vid_dst", setter: fld_set}]}, - "process.vid.src": {to:[{field: "rsa.internal.process_vid_src", setter: fld_set}]}, - "process_id_val": {to:[{field: "rsa.misc.process_id_val", setter: fld_set}]}, - "processing_time": {to:[{field: "rsa.time.process_time", setter: fld_set}]}, - "profile": {to:[{field: "rsa.identity.profile", setter: fld_set}]}, - "prog_asp_num": {to:[{field: "rsa.misc.prog_asp_num", setter: fld_set}]}, - "program": {to:[{field: "rsa.misc.program", setter: fld_set}]}, - "protocol_detail": {to:[{field: "rsa.network.protocol_detail", setter: fld_set}]}, - "pwwn": {to:[{field: "rsa.storage.pwwn", setter: fld_set}]}, - "r_hostid": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "real_data": {to:[{field: "rsa.misc.real_data", setter: fld_set}]}, - "realm": {to:[{field: "rsa.identity.realm", setter: fld_set}]}, - "reason": {to:[{field: "rsa.misc.reason", setter: fld_set}]}, - "rec_asp_device": {to:[{field: "rsa.misc.rec_asp_device", setter: fld_set}]}, - "rec_asp_num": {to:[{field: "rsa.misc.rec_asp_num", setter: fld_set}]}, - "rec_library": {to:[{field: "rsa.misc.rec_library", setter: fld_set}]}, - "recorded_time": {convert: to_date, to:[{field: "rsa.time.recorded_time", setter: fld_set}]}, - "recordnum": {to:[{field: "rsa.misc.recordnum", setter: fld_set}]}, - "registry.key": {to:[{field: "rsa.endpoint.registry_key", setter: fld_set}]}, - "registry.value": {to:[{field: "rsa.endpoint.registry_value", setter: fld_set}]}, - "remote_domain": {to:[{field: "rsa.web.remote_domain", setter: fld_set}]}, - "remote_domain_id": {to:[{field: "rsa.network.remote_domain_id", setter: fld_set}]}, - "reputation_num": {convert: to_double, to:[{field: "rsa.web.reputation_num", setter: fld_set}]}, - "resource": {to:[{field: "rsa.internal.resource", setter: fld_set}]}, - "resource_class": {to:[{field: "rsa.internal.resource_class", setter: fld_set}]}, - "result": {to:[{field: "rsa.misc.result", setter: fld_set}]}, - "result_code": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 1}]}, - "resultcode": {to:[{field: "rsa.misc.result_code", setter: fld_prio, prio: 0}]}, - "rid": {convert: to_long, to:[{field: "rsa.internal.rid", setter: fld_set}]}, - "risk": {to:[{field: "rsa.misc.risk", setter: fld_set}]}, - "risk_info": {to:[{field: "rsa.misc.risk_info", setter: fld_set}]}, - "risk_num": {convert: to_double, to:[{field: "rsa.misc.risk_num", setter: fld_set}]}, - "risk_num_comm": {convert: to_double, to:[{field: "rsa.misc.risk_num_comm", setter: fld_set}]}, - "risk_num_next": {convert: to_double, to:[{field: "rsa.misc.risk_num_next", setter: fld_set}]}, - "risk_num_sand": {convert: to_double, to:[{field: "rsa.misc.risk_num_sand", setter: fld_set}]}, - "risk_num_static": {convert: to_double, to:[{field: "rsa.misc.risk_num_static", setter: fld_set}]}, - "risk_suspicious": {to:[{field: "rsa.misc.risk_suspicious", setter: fld_set}]}, - "risk_warning": {to:[{field: "rsa.misc.risk_warning", setter: fld_set}]}, - "rpayload": {to:[{field: "rsa.network.rpayload", setter: fld_set}]}, - "ruid": {to:[{field: "rsa.misc.ruid", setter: fld_set}]}, - "rule": {to:[{field: "rsa.misc.rule", setter: fld_set}]}, - "rule_group": {to:[{field: "rsa.misc.rule_group", setter: fld_set}]}, - "rule_template": {to:[{field: "rsa.misc.rule_template", setter: fld_set}]}, - "rule_uid": {to:[{field: "rsa.misc.rule_uid", setter: fld_set}]}, - "rulename": {to:[{field: "rsa.misc.rule_name", setter: fld_set}]}, - "s_certauth": {to:[{field: "rsa.crypto.s_certauth", setter: fld_set}]}, - "s_cipher": {to:[{field: "rsa.crypto.cipher_src", setter: fld_set}]}, - "s_ciphersize": {convert: to_long, to:[{field: "rsa.crypto.cipher_size_src", setter: fld_set}]}, - "s_context": {to:[{field: "rsa.misc.context_subject", setter: fld_set}]}, - "s_sslver": {to:[{field: "rsa.crypto.ssl_ver_src", setter: fld_set}]}, - "sburb": {to:[{field: "rsa.misc.sburb", setter: fld_set}]}, - "scheme": {to:[{field: "rsa.crypto.scheme", setter: fld_set}]}, - "sdomain_fld": {to:[{field: "rsa.misc.sdomain_fld", setter: fld_set}]}, - "search.text": {to:[{field: "rsa.misc.search_text", setter: fld_set}]}, - "sec": {to:[{field: "rsa.misc.sec", setter: fld_set}]}, - "second": {to:[{field: "rsa.misc.second", setter: fld_set}]}, - "sensor": {to:[{field: "rsa.misc.sensor", setter: fld_set}]}, - "sensorname": {to:[{field: "rsa.misc.sensorname", setter: fld_set}]}, - "seqnum": {to:[{field: "rsa.misc.seqnum", setter: fld_set}]}, - "serial_number": {to:[{field: "rsa.misc.serial_number", setter: fld_set}]}, - "service.account": {to:[{field: "rsa.identity.service_account", setter: fld_set}]}, - "session": {to:[{field: "rsa.misc.session", setter: fld_set}]}, - "session.split": {to:[{field: "rsa.internal.session_split", setter: fld_set}]}, - "sessionid": {to:[{field: "rsa.misc.log_session_id", setter: fld_set}]}, - "sessionid1": {to:[{field: "rsa.misc.log_session_id1", setter: fld_set}]}, - "sessiontype": {to:[{field: "rsa.misc.sessiontype", setter: fld_set}]}, - "severity": {to:[{field: "rsa.misc.severity", setter: fld_set}]}, - "sid": {to:[{field: "rsa.identity.user_sid_dst", setter: fld_set}]}, - "sig.name": {to:[{field: "rsa.misc.sig_name", setter: fld_set}]}, - "sigUUID": {to:[{field: "rsa.misc.sigUUID", setter: fld_set}]}, - "sigcat": {to:[{field: "rsa.misc.sigcat", setter: fld_set}]}, - "sigid": {convert: to_long, to:[{field: "rsa.misc.sig_id", setter: fld_set}]}, - "sigid1": {convert: to_long, to:[{field: "rsa.misc.sig_id1", setter: fld_set}]}, - "sigid_string": {to:[{field: "rsa.misc.sig_id_str", setter: fld_set}]}, - "signame": {to:[{field: "rsa.misc.policy_name", setter: fld_prio, prio: 1}]}, - "sigtype": {to:[{field: "rsa.crypto.sig_type", setter: fld_set}]}, - "sinterface": {to:[{field: "rsa.network.sinterface", setter: fld_set}]}, - "site": {to:[{field: "rsa.internal.site", setter: fld_set}]}, - "size": {convert: to_long, to:[{field: "rsa.internal.size", setter: fld_set}]}, - "smask": {to:[{field: "rsa.network.smask", setter: fld_set}]}, - "snmp.oid": {to:[{field: "rsa.misc.snmp_oid", setter: fld_set}]}, - "snmp.value": {to:[{field: "rsa.misc.snmp_value", setter: fld_set}]}, - "sourcefile": {to:[{field: "rsa.internal.sourcefile", setter: fld_set}]}, - "space": {to:[{field: "rsa.misc.space", setter: fld_set}]}, - "space1": {to:[{field: "rsa.misc.space1", setter: fld_set}]}, - "spi": {to:[{field: "rsa.misc.spi", setter: fld_set}]}, - "sql": {to:[{field: "rsa.misc.sql", setter: fld_set}]}, - "src_dn": {to:[{field: "rsa.identity.dn_src", setter: fld_set}]}, - "src_payload": {to:[{field: "rsa.misc.payload_src", setter: fld_set}]}, - "src_spi": {to:[{field: "rsa.misc.spi_src", setter: fld_set}]}, - "src_zone": {to:[{field: "rsa.network.zone_src", setter: fld_set}]}, - "srcburb": {to:[{field: "rsa.misc.srcburb", setter: fld_set}]}, - "srcdom": {to:[{field: "rsa.misc.srcdom", setter: fld_set}]}, - "srcservice": {to:[{field: "rsa.misc.srcservice", setter: fld_set}]}, - "ssid": {to:[{field: "rsa.wireless.wlan_ssid", setter: fld_prio, prio: 0}]}, - "stamp": {convert: to_date, to:[{field: "rsa.time.stamp", setter: fld_set}]}, - "starttime": {convert: to_date, to:[{field: "rsa.time.starttime", setter: fld_set}]}, - "state": {to:[{field: "rsa.misc.state", setter: fld_set}]}, - "statement": {to:[{field: "rsa.internal.statement", setter: fld_set}]}, - "status": {to:[{field: "rsa.misc.status", setter: fld_set}]}, - "status1": {to:[{field: "rsa.misc.status1", setter: fld_set}]}, - "streams": {convert: to_long, to:[{field: "rsa.misc.streams", setter: fld_set}]}, - "subcategory": {to:[{field: "rsa.misc.subcategory", setter: fld_set}]}, - "subject": {to:[{field: "rsa.email.subject", setter: fld_set}]}, - "svcno": {to:[{field: "rsa.misc.svcno", setter: fld_set}]}, - "system": {to:[{field: "rsa.misc.system", setter: fld_set}]}, - "t_context": {to:[{field: "rsa.misc.context_target", setter: fld_set}]}, - "task_name": {to:[{field: "rsa.file.task_name", setter: fld_set}]}, - "tbdstr1": {to:[{field: "rsa.misc.tbdstr1", setter: fld_set}]}, - "tbdstr2": {to:[{field: "rsa.misc.tbdstr2", setter: fld_set}]}, - "tbl_name": {to:[{field: "rsa.db.table_name", setter: fld_set}]}, - "tcp_flags": {convert: to_long, to:[{field: "rsa.misc.tcp_flags", setter: fld_set}]}, - "terminal": {to:[{field: "rsa.misc.terminal", setter: fld_set}]}, - "tgtdom": {to:[{field: "rsa.misc.tgtdom", setter: fld_set}]}, - "tgtdomain": {to:[{field: "rsa.misc.tgtdomain", setter: fld_set}]}, - "threat_name": {to:[{field: "rsa.threat.threat_category", setter: fld_set}]}, - "threat_source": {to:[{field: "rsa.threat.threat_source", setter: fld_set}]}, - "threat_val": {to:[{field: "rsa.threat.threat_desc", setter: fld_set}]}, - "threshold": {to:[{field: "rsa.misc.threshold", setter: fld_set}]}, - "time": {convert: to_date, to:[{field: "rsa.internal.time", setter: fld_set}]}, - "timestamp": {to:[{field: "rsa.time.timestamp", setter: fld_set}]}, - "timezone": {to:[{field: "rsa.time.timezone", setter: fld_set}]}, - "to": {to:[{field: "rsa.email.email_dst", setter: fld_set}]}, - "tos": {convert: to_long, to:[{field: "rsa.misc.tos", setter: fld_set}]}, - "trans_from": {to:[{field: "rsa.email.trans_from", setter: fld_set}]}, - "trans_id": {to:[{field: "rsa.db.transact_id", setter: fld_set}]}, - "trans_to": {to:[{field: "rsa.email.trans_to", setter: fld_set}]}, - "trigger_desc": {to:[{field: "rsa.misc.trigger_desc", setter: fld_set}]}, - "trigger_val": {to:[{field: "rsa.misc.trigger_val", setter: fld_set}]}, - "type": {to:[{field: "rsa.misc.type", setter: fld_set}]}, - "type1": {to:[{field: "rsa.misc.type1", setter: fld_set}]}, - "tzone": {to:[{field: "rsa.time.tzone", setter: fld_set}]}, - "ubc.req": {convert: to_long, to:[{field: "rsa.internal.ubc_req", setter: fld_set}]}, - "ubc.res": {convert: to_long, to:[{field: "rsa.internal.ubc_res", setter: fld_set}]}, - "udb_class": {to:[{field: "rsa.misc.udb_class", setter: fld_set}]}, - "url_fld": {to:[{field: "rsa.misc.url_fld", setter: fld_set}]}, - "urlpage": {to:[{field: "rsa.web.urlpage", setter: fld_set}]}, - "urlroot": {to:[{field: "rsa.web.urlroot", setter: fld_set}]}, - "user_address": {to:[{field: "rsa.email.email", setter: fld_append}]}, - "user_dept": {to:[{field: "rsa.identity.user_dept", setter: fld_set}]}, - "user_div": {to:[{field: "rsa.misc.user_div", setter: fld_set}]}, - "user_fname": {to:[{field: "rsa.identity.firstname", setter: fld_set}]}, - "user_lname": {to:[{field: "rsa.identity.lastname", setter: fld_set}]}, - "user_mname": {to:[{field: "rsa.identity.middlename", setter: fld_set}]}, - "user_org": {to:[{field: "rsa.identity.org", setter: fld_set}]}, - "user_role": {to:[{field: "rsa.identity.user_role", setter: fld_set}]}, - "userid": {to:[{field: "rsa.misc.userid", setter: fld_set}]}, - "username_fld": {to:[{field: "rsa.misc.username_fld", setter: fld_set}]}, - "utcstamp": {to:[{field: "rsa.misc.utcstamp", setter: fld_set}]}, - "v_instafname": {to:[{field: "rsa.misc.v_instafname", setter: fld_set}]}, - "vendor_event_cat": {to:[{field: "rsa.investigations.event_vcat", setter: fld_set}]}, - "version": {to:[{field: "rsa.misc.version", setter: fld_set}]}, - "vid": {to:[{field: "rsa.internal.msg_vid", setter: fld_set}]}, - "virt_data": {to:[{field: "rsa.misc.virt_data", setter: fld_set}]}, - "virusname": {to:[{field: "rsa.misc.virusname", setter: fld_set}]}, - "vlan": {convert: to_long, to:[{field: "rsa.network.vlan", setter: fld_set}]}, - "vlan.name": {to:[{field: "rsa.network.vlan_name", setter: fld_set}]}, - "vm_target": {to:[{field: "rsa.misc.vm_target", setter: fld_set}]}, - "vpnid": {to:[{field: "rsa.misc.vpnid", setter: fld_set}]}, - "vsys": {to:[{field: "rsa.misc.vsys", setter: fld_set}]}, - "vuln_ref": {to:[{field: "rsa.misc.vuln_ref", setter: fld_set}]}, - "web_cookie": {to:[{field: "rsa.web.web_cookie", setter: fld_set}]}, - "web_extension_tmp": {to:[{field: "rsa.web.web_extension_tmp", setter: fld_set}]}, - "web_host": {to:[{field: "rsa.web.alias_host", setter: fld_set}]}, - "web_method": {to:[{field: "rsa.misc.action", setter: fld_append}]}, - "web_page": {to:[{field: "rsa.web.web_page", setter: fld_set}]}, - "web_ref_domain": {to:[{field: "rsa.web.web_ref_domain", setter: fld_set}]}, - "web_ref_host": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "web_ref_page": {to:[{field: "rsa.web.web_ref_page", setter: fld_set}]}, - "web_ref_query": {to:[{field: "rsa.web.web_ref_query", setter: fld_set}]}, - "web_ref_root": {to:[{field: "rsa.web.web_ref_root", setter: fld_set}]}, - "wifi_channel": {convert: to_long, to:[{field: "rsa.wireless.wlan_channel", setter: fld_set}]}, - "wlan": {to:[{field: "rsa.wireless.wlan_name", setter: fld_set}]}, - "word": {to:[{field: "rsa.internal.word", setter: fld_set}]}, - "workspace_desc": {to:[{field: "rsa.misc.workspace", setter: fld_set}]}, - "workstation": {to:[{field: "rsa.network.alias_host", setter: fld_append}]}, - "year": {to:[{field: "rsa.time.year", setter: fld_set}]}, - "zone": {to:[{field: "rsa.network.zone", setter: fld_set}]}, -}; - -function to_date(value) { - switch (typeof (value)) { - case "object": - // This is a Date. But as it was obtained from evt.Get(), the VM - // doesn't see it as a JS Date anymore, thus value instanceof Date === false. - // Have to trust that any object here is a valid Date for Go. - return value; - case "string": - var asDate = new Date(value); - if (!isNaN(asDate)) return asDate; - } -} - -// ECMAScript 5.1 doesn't have Object.MAX_SAFE_INTEGER / Object.MIN_SAFE_INTEGER. -var maxSafeInt = Math.pow(2, 53) - 1; -var minSafeInt = -maxSafeInt; - -function to_long(value) { - var num = parseInt(value); - // Better not to index a number if it's not safe (above 53 bits). - return !isNaN(num) && minSafeInt <= num && num <= maxSafeInt ? num : undefined; -} - -function to_ip(value) { - if (value.indexOf(":") === -1) - return to_ipv4(value); - return to_ipv6(value); -} - -var ipv4_regex = /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; -var ipv6_hex_regex = /^[0-9A-Fa-f]{1,4}$/; - -function to_ipv4(value) { - var result = ipv4_regex.exec(value); - if (result == null || result.length !== 5) return; - for (var i = 1; i < 5; i++) { - var num = strictToInt(result[i]); - if (isNaN(num) || num < 0 || num > 255) return; - } - return value; -} - -function to_ipv6(value) { - var sqEnd = value.indexOf("]"); - if (sqEnd > -1) { - if (value.charAt(0) !== "[") return; - value = value.substr(1, sqEnd - 1); - } - var zoneOffset = value.indexOf("%"); - if (zoneOffset > -1) { - value = value.substr(0, zoneOffset); - } - var parts = value.split(":"); - if (parts == null || parts.length < 3 || parts.length > 8) return; - var numEmpty = 0; - var innerEmpty = 0; - for (var i = 0; i < parts.length; i++) { - if (parts[i].length === 0) { - numEmpty++; - if (i > 0 && i + 1 < parts.length) innerEmpty++; - } else if (!parts[i].match(ipv6_hex_regex) && - // Accept an IPv6 with a valid IPv4 at the end. - ((i + 1 < parts.length) || !to_ipv4(parts[i]))) { - return; - } - } - return innerEmpty === 0 && parts.length === 8 || innerEmpty === 1 ? value : undefined; -} - -function to_double(value) { - return parseFloat(value); -} - -function to_mac(value) { - // ES doesn't have a mac datatype so it's safe to ingest whatever was captured. - return value; -} - -function to_lowercase(value) { - // to_lowercase is used against keyword fields, which can accept - // any other type (numbers, dates). - return typeof(value) === "string"? value.toLowerCase() : value; -} - -function fld_set(dst, value) { - dst[this.field] = { v: value }; -} - -function fld_append(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: [value] }; - } else { - var base = dst[this.field]; - if (base.v.indexOf(value)===-1) base.v.push(value); - } -} - -function fld_prio(dst, value) { - if (dst[this.field] === undefined) { - dst[this.field] = { v: value, prio: this.prio}; - } else if(this.prio < dst[this.field].prio) { - dst[this.field].v = value; - dst[this.field].prio = this.prio; - } -} - -var valid_ecs_outcome = { - 'failure': true, - 'success': true, - 'unknown': true -}; - -function fld_ecs_outcome(dst, value) { - value = value.toLowerCase(); - if (valid_ecs_outcome[value] === undefined) { - value = 'unknown'; - } - if (dst[this.field] === undefined) { - dst[this.field] = { v: value }; - } else if (dst[this.field].v === 'unknown') { - dst[this.field] = { v: value }; - } -} - -function map_all(evt, targets, value) { - for (var i = 0; i < targets.length; i++) { - evt.Put(targets[i], value); - } -} - -function populate_fields(evt) { - var base = evt.Get(FIELDS_OBJECT); - if (base === null) return; - alternate_datetime(evt); - if (map_ecs) { - do_populate(evt, base, ecs_mappings); - } - if (map_rsa) { - do_populate(evt, base, rsa_mappings); - } - if (keep_raw) { - evt.Put("rsa.raw", base); - } - evt.Delete(FIELDS_OBJECT); -} - -var datetime_alt_components = [ - {field: "day", fmts: [[dF]]}, - {field: "year", fmts: [[dW]]}, - {field: "month", fmts: [[dB],[dG]]}, - {field: "date", fmts: [[dW,dSkip,dG,dSkip,dF],[dW,dSkip,dB,dSkip,dF],[dW,dSkip,dR,dSkip,dF]]}, - {field: "hour", fmts: [[dN]]}, - {field: "min", fmts: [[dU]]}, - {field: "secs", fmts: [[dO]]}, - {field: "time", fmts: [[dN, dSkip, dU, dSkip, dO]]}, -]; - -function alternate_datetime(evt) { - if (evt.Get(FIELDS_PREFIX + "event_time") != null) { - return; - } - var tzOffset = tz_offset; - if (tzOffset === "event") { - tzOffset = evt.Get("event.timezone"); - } - var container = new DateContainer(tzOffset); - for (var i=0; i} %{hday->} %{htime->} %{hhost->} %{messageid}[%{hfld1}]: [%{husername}] [%{hfld2}] %{payload}", processor_chain([ - setc("header_id","0005"), -])); - -var hdr2 = match("HEADER#1:0006", "message", "%{hmonth->} %{hday->} %{htime->} %{hhost->} %{messageid}[%{hfld1}]: [%{husername}] %{payload}", processor_chain([ - setc("header_id","0006"), -])); - -var hdr3 = match("HEADER#2:0007", "message", "%{hmonth->} %{hday->} %{htime->} %{hhost->} %{messageid}[%{hfld1}]: %{payload}", processor_chain([ - setc("header_id","0007"), -])); - -var hdr4 = match("HEADER#3:0008", "message", "%{hmonth->} %{hday->} %{htime->} %{hhost->} %{messageid}: %{payload}", processor_chain([ - setc("header_id","0008"), - dup1, -])); - -var hdr5 = match("HEADER#4:0001", "message", "%{messageid}[%{hfld1}]: [%{husername}] [%{hfld2}] %{payload}", processor_chain([ - setc("header_id","0001"), -])); - -var hdr6 = match("HEADER#5:0002", "message", "%{messageid}[%{hfld1}]: [%{husername}] %{payload}", processor_chain([ - setc("header_id","0002"), -])); - -var hdr7 = match("HEADER#6:0003", "message", "%{messageid}[%{hfld1}]: %{payload}", processor_chain([ - setc("header_id","0003"), -])); - -var hdr8 = match("HEADER#7:0004", "message", "%{messageid}: %{payload}", processor_chain([ - setc("header_id","0004"), - dup1, -])); - -var select1 = linear_select([ - hdr1, - hdr2, - hdr3, - hdr4, - hdr5, - hdr6, - hdr7, - hdr8, -]); - -var part1 = match("MESSAGE#0:firepass:01", "nwparser.payload", "Entered %{fld2}", processor_chain([ - dup2, - dup3, - dup4, -])); - -var msg1 = msg("firepass:01", part1); - -var part2 = match("MESSAGE#1:firepass:02", "nwparser.payload", "Logged out%{}", processor_chain([ - setc("eventcategory","1401070000"), - dup5, - dup6, - dup3, - dup4, -])); - -var msg2 = msg("firepass:02", part2); - -var part3 = match("MESSAGE#2:firepass:03", "nwparser.payload", "Finished using %{fld2}", processor_chain([ - dup2, - dup3, - dup4, -])); - -var msg3 = msg("firepass:03", part3); - -var part4 = match("MESSAGE#3:firepass:04", "nwparser.payload", "Open %{fld2->} to Remote Host:%{dhost}", processor_chain([ - dup7, - dup3, - dup4, -])); - -var msg4 = msg("firepass:04", part4); - -var part5 = match("MESSAGE#4:firepass:05", "nwparser.payload", "param %{fld1->} = %{fld2}", processor_chain([ - setc("eventcategory","1701020000"), - dup3, - dup4, -])); - -var msg5 = msg("firepass:05", part5); - -var part6 = match("MESSAGE#5:firepass:06", "nwparser.payload", "Access menu %{fld2}", processor_chain([ - dup2, - dup3, - dup4, -])); - -var msg6 = msg("firepass:06", part6); - -var part7 = match("MESSAGE#6:firepass:07", "nwparser.payload", "Accessing %{url}", processor_chain([ - dup2, - dup3, - dup4, -])); - -var msg7 = msg("firepass:07", part7); - -var part8 = match("MESSAGE#7:firepass:08", "nwparser.payload", "Network Access: dialing Click to connect to Network Access%{}", processor_chain([ - setc("eventcategory","1801000000"), - dup3, - dup4, -])); - -var msg8 = msg("firepass:08", part8); - -var part9 = match("MESSAGE#8:firepass:09", "nwparser.payload", "FirePass service stopped on %{hostname}", processor_chain([ - dup8, - dup9, - setc("ec_activity","Stop"), - dup3, - dup4, -])); - -var msg9 = msg("firepass:09", part9); - -var part10 = match("MESSAGE#9:firepass:10", "nwparser.payload", "FirePass service started on %{hostname}", processor_chain([ - dup8, - dup9, - setc("ec_activity","Start"), - dup3, - dup4, -])); - -var msg10 = msg("firepass:10", part10); - -var part11 = match("MESSAGE#10:firepass:11", "nwparser.payload", "shutting down for system reboot%{}", processor_chain([ - setc("eventcategory","1606000000"), - dup3, - setc("event_description","shutting down for system reboot"), -])); - -var msg11 = msg("firepass:11", part11); - -var part12 = match("MESSAGE#11:firepass:12", "nwparser.payload", "%{event_description}", processor_chain([ - dup8, - dup3, -])); - -var msg12 = msg("firepass:12", part12); - -var select2 = linear_select([ - msg1, - msg2, - msg3, - msg4, - msg5, - msg6, - msg7, - msg8, - msg9, - msg10, - msg11, - msg12, -]); - -var part13 = match("MESSAGE#12:GarbageCollection:01", "nwparser.payload", "User: '%{username}' session expired due to inactivity. %{result}.", processor_chain([ - dup10, - dup3, -])); - -var msg13 = msg("GarbageCollection:01", part13); - -var part14 = match("MESSAGE#13:GarbageCollection:02", "nwparser.payload", "User: '%{username}' session was terminated.", processor_chain([ - dup10, - dup3, -])); - -var msg14 = msg("GarbageCollection:02", part14); - -var part15 = match("MESSAGE#14:GarbageCollection:03", "nwparser.payload", "session '%{sessionid}' is expired due to inactivity. %{result}.", processor_chain([ - dup10, - dup3, -])); - -var msg15 = msg("GarbageCollection:03", part15); - -var part16 = match("MESSAGE#15:GarbageCollection:04", "nwparser.payload", "apache server is not running. start it%{}", processor_chain([ - dup8, - dup3, -])); - -var msg16 = msg("GarbageCollection:04", part16); - -var part17 = match("MESSAGE#16:GarbageCollection:05", "nwparser.payload", "%{fld2->} already started with pid %{process_id}", processor_chain([ - dup8, - dup3, -])); - -var msg17 = msg("GarbageCollection:05", part17); - -var part18 = match("MESSAGE#17:GarbageCollection:06", "nwparser.payload", "no servers defined for Radius Accounting%{}", processor_chain([ - dup11, - dup3, -])); - -var msg18 = msg("GarbageCollection:06", part18); - -var part19 = match("MESSAGE#18:GarbageCollection:07", "nwparser.payload", "DHCP Agent is not running... Restarting it.%{}", processor_chain([ - dup11, - dup3, -])); - -var msg19 = msg("GarbageCollection:07", part19); - -var part20 = match("MESSAGE#19:GarbageCollection:08", "nwparser.payload", "session '%{sessionid}' is terminated.", processor_chain([ - dup11, - dup3, -])); - -var msg20 = msg("GarbageCollection:08", part20); - -var part21 = match("MESSAGE#20:GarbageCollection:09", "nwparser.payload", "can not connect to database %{fld1}", processor_chain([ - dup11, - dup3, - setc("event_description","can not connect to database"), -])); - -var msg21 = msg("GarbageCollection:09", part21); - -var part22 = match("MESSAGE#21:GarbageCollection:10", "nwparser.payload", "timeout happened. restarting %{fld1->} services", processor_chain([ - dup11, - dup3, - setc("event_description","timeout happened. restarting services"), -])); - -var msg22 = msg("GarbageCollection:10", part22); - -var select3 = linear_select([ - msg13, - msg14, - msg15, - msg16, - msg17, - msg18, - msg19, - msg20, - msg21, - msg22, -]); - -var part23 = match("MESSAGE#22:maintenance:01", "nwparser.payload", "Failed to upload backup file %{filename}. %{info->} Server returned:%{result}", processor_chain([ - dup11, - dup3, - dup4, -])); - -var msg23 = msg("maintenance:01", part23); - -var part24 = match("MESSAGE#23:maintenance:02", "nwparser.payload", "Logged out Sid = %{sessionid}", processor_chain([ - dup8, - dup12, - dup6, - dup13, - dup3, - dup4, -])); - -var msg24 = msg("maintenance:02", part24); - -var part25 = match("MESSAGE#24:maintenance:03", "nwparser.payload", "Network Access: %{info}", processor_chain([ - dup8, - dup3, - dup4, -])); - -var msg25 = msg("maintenance:03", part25); - -var part26 = match("MESSAGE#25:maintenance:04", "nwparser.payload", "Trying connect to %{fld2->} on %{fqdn}:%{network_port}", processor_chain([ - dup11, - dup3, - dup4, -])); - -var msg26 = msg("maintenance:04", part26); - -var part27 = match("MESSAGE#26:maintenance:05", "nwparser.payload", "%{info}", processor_chain([ - dup11, - dup3, - dup4, -])); - -var msg27 = msg("maintenance:05", part27); - -var select4 = linear_select([ - msg23, - msg24, - msg25, - msg26, - msg27, -]); - -var part28 = match("MESSAGE#27:NetworkAccess:01", "nwparser.payload", "\u003c\u003c%{sessionid}> Open Network Access Connection using remote IP address %{daddr}", processor_chain([ - dup7, - dup12, - dup13, - dup3, - dup4, -])); - -var msg28 = msg("NetworkAccess:01", part28); - -var part29 = match("MESSAGE#28:NetworkAccess:02", "nwparser.payload", "\u003c\u003c%{sessionid}> Network Access Connection terminated", processor_chain([ - dup10, - dup12, - dup13, - dup3, - dup4, -])); - -var msg29 = msg("NetworkAccess:02", part29); - -var part30 = match("MESSAGE#29:NetworkAccess:03", "nwparser.payload", "\u003c\u003c%{sessionid}> Error - %{info}", processor_chain([ - setc("eventcategory","1801010000"), - dup12, - dup13, - dup3, - dup4, -])); - -var msg30 = msg("NetworkAccess:03", part30); - -var select5 = linear_select([ - msg28, - msg29, - msg30, -]); - -var part31 = match("MESSAGE#30:security:01/0", "nwparser.payload", "User %{username->} logged on from %{p0}"); - -var part32 = match("MESSAGE#30:security:01/1_0", "nwparser.p0", "%{saddr->} to %{daddr->} Sid = %{sessionid->} "); - -var part33 = match("MESSAGE#30:security:01/1_1", "nwparser.p0", "%{saddr->} Sid = %{sessionid->} "); - -var part34 = match("MESSAGE#30:security:01/1_2", "nwparser.p0", "%{saddr->} "); - -var select6 = linear_select([ - part32, - part33, - part34, -]); - -var all1 = all_match({ - processors: [ - part31, - select6, - ], - on_success: processor_chain([ - setc("eventcategory","1401060000"), - dup5, - dup14, - dup15, - dup3, - ]), -}); - -var msg31 = msg("security:01", all1); - -var part35 = match("MESSAGE#31:security:02/0", "nwparser.payload", "%{} %{p0}"); - -var part36 = match("MESSAGE#31:security:02/1_0", "nwparser.p0", "Invalid %{p0}"); - -var part37 = match("MESSAGE#31:security:02/1_1", "nwparser.p0", "Valid %{p0}"); - -var select7 = linear_select([ - part36, - part37, -]); - -var part38 = match("MESSAGE#31:security:02/2", "nwparser.p0", "%{}user %{username->} failed to log on from %{saddr}"); - -var all2 = all_match({ - processors: [ - part35, - select7, - part38, - ], - on_success: processor_chain([ - dup16, - dup5, - dup14, - dup15, - dup17, - dup3, - ]), -}); - -var msg32 = msg("security:02", all2); - -var part39 = match("MESSAGE#32:security:03", "nwparser.payload", "Successful password update for user %{user_fullname}, username: %{username}", processor_chain([ - setc("eventcategory","1402040100"), - setc("ec_activity","Modify"), - setc("ec_theme","Password"), - setc("ec_outcome","Success"), - dup3, -])); - -var msg33 = msg("security:03", part39); - -var part40 = match("MESSAGE#33:security:04", "nwparser.payload", "Possible intrusion attempt! %{fld1->} consecutive authentication failures happened within %{fld2->} min. Last Source IP Address: %{saddr->} %{info}", processor_chain([ - dup16, - dup14, - dup15, - dup17, - dup3, -])); - -var msg34 = msg("security:04", part40); - -var part41 = match("MESSAGE#34:security:05", "nwparser.payload", "User [%{action}] logon from %{saddr}", processor_chain([ - dup18, - dup5, - dup14, - dup15, - setc("ec_outcome","Error"), - dup3, -])); - -var msg35 = msg("security:05", part41); - -var part42 = match("MESSAGE#35:security:06", "nwparser.payload", "Non-administrator account %{username->} attempted to access admin account", processor_chain([ - dup18, - dup5, - dup14, - setc("ec_theme","Policy"), - dup17, - dup3, -])); - -var msg36 = msg("security:06", part42); - -var part43 = match("MESSAGE#36:security:07", "nwparser.payload", "User %{username->} exceeded the allowed number of concurrent logons", processor_chain([ - dup16, - dup5, - dup14, - dup15, - dup17, - dup3, - setc("event_description","user exceeded the allowed number of concurrent logons"), -])); - -var msg37 = msg("security:07", part43); - -var part44 = match("MESSAGE#37:security:08", "nwparser.payload", "User %{username->} from %{saddr->} presented with challenge", processor_chain([ - dup19, - dup5, - dup3, - setc("event_description","user presented with challenge"), -])); - -var msg38 = msg("security:08", part44); - -var part45 = match("MESSAGE#38:security:09", "nwparser.payload", "Possible intrusion attempt detected against account %{fld1->} from source IP address %{saddr->} for URI=[%{fld2}]%{info}", processor_chain([ - dup19, - dup5, - dup3, - setc("event_description","Possible intrusion attempt detected"), -])); - -var msg39 = msg("security:09", part45); - -var select8 = linear_select([ - msg31, - msg32, - msg33, - msg34, - msg35, - msg36, - msg37, - msg38, - msg39, -]); - -var part46 = match("MESSAGE#39:httpd", "nwparser.payload", "scr_monitor: %{fld1}", processor_chain([ - dup8, - dup3, - dup4, -])); - -var msg40 = msg("httpd", part46); - -var part47 = match("MESSAGE#40:Miscellaneous:01", "nwparser.payload", "Purge logs: not started. Next purge scheduled time %{fld1->} is not exceeded", processor_chain([ - dup8, - dup3, - dup4, -])); - -var msg41 = msg("Miscellaneous:01", part47); - -var part48 = match("MESSAGE#41:Miscellaneous:02", "nwparser.payload", "Purge logs: finished. Deleted %{fld1->} logon records", processor_chain([ - dup8, - dup3, - dup4, -])); - -var msg42 = msg("Miscellaneous:02", part48); - -var part49 = match("MESSAGE#42:Miscellaneous:03", "nwparser.payload", "Purge logs: auto started%{}", processor_chain([ - dup8, - dup3, - dup4, -])); - -var msg43 = msg("Miscellaneous:03", part49); - -var part50 = match("MESSAGE#43:Miscellaneous:04", "nwparser.payload", "Database error detected, dump: %{info}", processor_chain([ - setc("eventcategory","1603000000"), - dup3, - dup4, -])); - -var msg44 = msg("Miscellaneous:04", part50); - -var part51 = match("MESSAGE#44:Miscellaneous:05", "nwparser.payload", "Recovered database successfully%{}", processor_chain([ - dup8, - dup3, - dup4, -])); - -var msg45 = msg("Miscellaneous:05", part51); - -var select9 = linear_select([ - msg41, - msg42, - msg43, - msg44, - msg45, -]); - -var part52 = match("MESSAGE#45:kernel:07", "nwparser.payload", "kernel: Marketing_resource:%{fld1->} SRC=%{saddr->} DST=%{daddr->} %{info->} PROTO=%{protocol->} SPT=%{sport->} DPT=%{dport->} %{fld3}", processor_chain([ - dup8, - dup3, -])); - -var msg46 = msg("kernel:07", part52); - -var part53 = match("MESSAGE#46:kernel:01", "nwparser.payload", "kernel: Marketing_resource: %{info}", processor_chain([ - dup8, - dup3, -])); - -var msg47 = msg("kernel:01", part53); - -var part54 = match("MESSAGE#47:kernel:02", "nwparser.payload", "kernel: CSLIP: %{info}", processor_chain([ - dup8, - dup3, -])); - -var msg48 = msg("kernel:02", part54); - -var part55 = match("MESSAGE#48:kernel:03", "nwparser.payload", "kernel: PPP %{info}", processor_chain([ - dup8, - dup3, -])); - -var msg49 = msg("kernel:03", part55); - -var part56 = match("MESSAGE#49:kernel:04", "nwparser.payload", "kernel: cdrom: open failed.%{}", processor_chain([ - dup8, - dup3, -])); - -var msg50 = msg("kernel:04", part56); - -var part57 = match("MESSAGE#50:kernel:06", "nwparser.payload", "kernel: GlobalFilter:%{fld1->} SRC=%{saddr->} DST=%{daddr->} %{info->} PROTO=%{protocol->} SPT=%{sport->} DPT=%{dport->} %{fld3}", processor_chain([ - dup8, - dup3, -])); - -var msg51 = msg("kernel:06", part57); - -var part58 = match("MESSAGE#51:kernel:05", "nwparser.payload", "kernel: %{info}", processor_chain([ - dup8, - dup3, -])); - -var msg52 = msg("kernel:05", part58); - -var select10 = linear_select([ - msg46, - msg47, - msg48, - msg49, - msg50, - msg51, - msg52, -]); - -var part59 = match("MESSAGE#52:sshd", "nwparser.payload", "Accepted publickey for %{username->} from %{saddr->} port %{sport->} %{fld2}", processor_chain([ - setc("eventcategory","1401050100"), - dup3, -])); - -var msg53 = msg("sshd", part59); - -var part60 = match("MESSAGE#53:ntpd:01", "nwparser.payload", "frequency initialized %{fld1->} PPM from %{fld2}", processor_chain([ - dup8, - dup3, -])); - -var msg54 = msg("ntpd:01", part60); - -var part61 = match("MESSAGE#54:ntpd:02", "nwparser.payload", "kernel time sync status %{resultcode}", processor_chain([ - dup8, - dup3, -])); - -var msg55 = msg("ntpd:02", part61); - -var part62 = match("MESSAGE#55:ntpd:03", "nwparser.payload", "Listening on interface %{interface}, %{hostip}#%{network_port}", processor_chain([ - dup8, - dup3, -])); - -var msg56 = msg("ntpd:03", part62); - -var part63 = match("MESSAGE#56:ntpd:04", "nwparser.payload", "precision = %{duration_string}", processor_chain([ - dup8, - dup3, -])); - -var msg57 = msg("ntpd:04", part63); - -var part64 = match("MESSAGE#57:ntpd:05", "nwparser.payload", "ntpd %{info}", processor_chain([ - dup8, - dup3, -])); - -var msg58 = msg("ntpd:05", part64); - -var select11 = linear_select([ - msg54, - msg55, - msg56, - msg57, - msg58, -]); - -var part65 = match("MESSAGE#58:AppTunnel:01", "nwparser.payload", "\u003c\u003c%{sessionid}> %{fld2->} connection to %{dhost}(%{daddr}):%{dport->} terminated", processor_chain([ - dup10, - dup12, - dup13, - dup3, - dup4, -])); - -var msg59 = msg("AppTunnel:01", part65); - -var part66 = match("MESSAGE#59:AppTunnel:02", "nwparser.payload", "\u003c\u003c%{sessionid}> %{fld2->} connection to %{dhost}(%{daddr}):%{dport}", processor_chain([ - dup7, - dup12, - dup13, - dup3, - dup4, -])); - -var msg60 = msg("AppTunnel:02", part66); - -var part67 = match("MESSAGE#60:AppTunnel:03", "nwparser.payload", "\u003c\u003c%{sessionid}> Error - Connection timed out", processor_chain([ - dup7, - dup12, - dup13, - dup17, - dup3, - dup4, -])); - -var msg61 = msg("AppTunnel:03", part67); - -var part68 = match("MESSAGE#61:AppTunnel:04", "nwparser.payload", "Connection to %{daddr->} port %{dport->} failed", processor_chain([ - dup7, - dup12, - dup13, - dup17, - dup3, - dup4, -])); - -var msg62 = msg("AppTunnel:04", part68); - -var part69 = match("MESSAGE#62:AppTunnel:05", "nwparser.payload", "\u003c\u003c%{sessionid}> Error - Invalid session id", processor_chain([ - dup7, - dup12, - dup13, - dup3, -])); - -var msg63 = msg("AppTunnel:05", part69); - -var select12 = linear_select([ - msg59, - msg60, - msg61, - msg62, - msg63, -]); - -var part70 = match("MESSAGE#63:run-crons", "nwparser.payload", "%{fld2->} returned %{resultcode}", processor_chain([ - dup8, - dup3, -])); - -var msg64 = msg("run-crons", part70); - -var part71 = match("MESSAGE#64:/USR/SBIN/CRON", "nwparser.payload", "(%{username}) CMD (%{action})", processor_chain([ - dup2, - dup3, -])); - -var msg65 = msg("/USR/SBIN/CRON", part71); - -var part72 = match("MESSAGE#65:ntpdate", "nwparser.payload", "adjust time server %{daddr->} offset %{duration_string}", processor_chain([ - setc("eventcategory","1605030000"), - dup3, -])); - -var msg66 = msg("ntpdate", part72); - -var part73 = match("MESSAGE#66:heartbeat", "nwparser.payload", "info: %{info}", processor_chain([ - setc("eventcategory","1604000000"), - dup3, -])); - -var msg67 = msg("heartbeat", part73); - -var part74 = match("MESSAGE#67:mailer", "nwparser.payload", "Failed to send \\'%{subject}\\' to \\'%{to}\\'", processor_chain([ - setc("eventcategory","1207010200"), - setc("ec_subject","Message"), - setc("ec_activity","Send"), - dup13, - dup17, - dup3, -])); - -var msg68 = msg("mailer", part74); - -var part75 = match("MESSAGE#68:EndpointSecurity/0", "nwparser.payload", "id[%{fld1}]: \"%{p0}"); - -var part76 = match("MESSAGE#68:EndpointSecurity/1_0", "nwparser.p0", "%{fld2->} - Connected%{p0}"); - -var part77 = match("MESSAGE#68:EndpointSecurity/1_1", "nwparser.p0", "Connected%{p0}"); - -var select13 = linear_select([ - part76, - part77, -]); - -var part78 = match("MESSAGE#68:EndpointSecurity/2", "nwparser.p0", "%{}from %{saddr->} %{info}\""); - -var all3 = all_match({ - processors: [ - part75, - select13, - part78, - ], - on_success: processor_chain([ - dup20, - dup13, - dup3, - ]), -}); - -var msg69 = msg("EndpointSecurity", all3); - -var part79 = match("MESSAGE#69:EndpointSecurity:01", "nwparser.payload", "id[%{fld1}]: %{event_description}", processor_chain([ - dup20, - dup13, - dup3, -])); - -var msg70 = msg("EndpointSecurity:01", part79); - -var select14 = linear_select([ - msg69, - msg70, -]); - -var part80 = match("MESSAGE#70:snmp", "nwparser.payload", "SNMP handler started%{}", processor_chain([ - dup20, - dup3, - setc("event_description","SNMP handler started"), - setc("action","started"), - setc("protocol","SNMP"), -])); - -var msg71 = msg("snmp", part80); - -var part81 = match("MESSAGE#71:snmp:01", "nwparser.payload", "%{event_description}", processor_chain([ - dup20, - dup3, -])); - -var msg72 = msg("snmp:01", part81); - -var select15 = linear_select([ - msg71, - msg72, -]); - -var chain1 = processor_chain([ - select1, - msgid_select({ - "/USR/SBIN/CRON": msg65, - "AppTunnel": select12, - "EndpointSecurity": select14, - "GarbageCollection": select3, - "Miscellaneous": select9, - "NetworkAccess": select5, - "firepass": select2, - "heartbeat": msg67, - "httpd": msg40, - "kernel": select10, - "mailer": msg68, - "maintenance": select4, - "ntpd": select11, - "ntpdate": msg66, - "run-crons": msg64, - "security": select8, - "snmp": select15, - "sshd": msg53, - }), -]); diff --git a/x-pack/filebeat/module/f5/firepass/ingest/pipeline.yml b/x-pack/filebeat/module/f5/firepass/ingest/pipeline.yml deleted file mode 100644 index d303dbfff86..00000000000 --- a/x-pack/filebeat/module/f5/firepass/ingest/pipeline.yml +++ /dev/null @@ -1,55 +0,0 @@ ---- -description: Pipeline for F5 Firepass - -processors: - # User agent - - user_agent: - field: user_agent.original - ignore_missing: true - # IP Geolocation Lookup - - geoip: - field: source.ip - target_field: source.geo - ignore_missing: true - - geoip: - field: destination.ip - target_field: destination.geo - ignore_missing: true - - # IP Autonomous System (AS) Lookup - - geoip: - database_file: GeoLite2-ASN.mmdb - field: source.ip - target_field: source.as - properties: - - asn - - organization_name - ignore_missing: true - - geoip: - database_file: GeoLite2-ASN.mmdb - field: destination.ip - target_field: destination.as - properties: - - asn - - organization_name - ignore_missing: true - - rename: - field: source.as.asn - target_field: source.as.number - ignore_missing: true - - rename: - field: source.as.organization_name - target_field: source.as.organization.name - ignore_missing: true - - rename: - field: destination.as.asn - target_field: destination.as.number - ignore_missing: true - - rename: - field: destination.as.organization_name - target_field: destination.as.organization.name - ignore_missing: true -on_failure: - - append: - field: error.message - value: "{{ _ingest.on_failure_message }}" diff --git a/x-pack/filebeat/module/f5/firepass/manifest.yml b/x-pack/filebeat/module/f5/firepass/manifest.yml deleted file mode 100644 index becd0eb7cd1..00000000000 --- a/x-pack/filebeat/module/f5/firepass/manifest.yml +++ /dev/null @@ -1,31 +0,0 @@ -module_version: "1.0" - -var: - - name: paths - - name: tags - default: ["f5.firepass", "forwarded"] - - name: syslog_host - default: localhost - - name: syslog_port - default: 9509 - - name: input - default: udp - - name: community_id - default: true - - name: tz_offset - default: local - - name: rsa_fields - default: true - - name: keep_raw_fields - default: false - - name: debug - default: false - -ingest_pipeline: ingest/pipeline.yml -input: config/input.yml - -requires.processors: -- name: geoip - plugin: ingest-geoip -- name: user_agent - plugin: ingest-user_agent diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log b/x-pack/filebeat/module/f5/firepass/test/generated.log deleted file mode 100644 index dcd42eb4778..00000000000 --- a/x-pack/filebeat/module/f5/firepass/test/generated.log +++ /dev/null @@ -1,100 +0,0 @@ -January 29 06:09:59 avolupt1396.www.invalid ntpdate[nto]: adjust time server 10.232.59.7 offset tur -February 12 13:12:33 aliqu5634.api.host ntpd[eni]: [vento] [ehend] Listening on interface lo4377, 10.58.254.89#4819 -February 26 20:15:08 mqui5286.mail.home sshd[litesse]: [orev] [pisciv] Accepted publickey for uii from 10.36.11.87 port 1803 doeiu -firepass[eporr]: [quipexe] [alo] FirePass service stopped on eosquir5191.www.example -NetworkAccess[ctetur]: [uidolor] < Open Network Access Connection using remote IP address 10.194.156.105 -April 9 17:22:51 itamet3338.mail.host EndpointSecurity[squame]: [ntex] [eius] id[luptat]: emape -GarbageCollection[nse]: [eumiu] [uame] no servers defined for Radius Accounting -May 8 07:27:59 orisn6294.www.lan heartbeat[ofdeF]: [metcons] info: roinBCS -May 22 14:30:33 eataevi4044.mail.localhost firepass[ptas]: [nevolu] equat -June 5 21:33:08 ofdeFin3587.www.domain EndpointSecurity[exe]: [iatu] id[ionofde]: "con - Connected from 10.38.189.242 ommodic" -/USR/SBIN/CRON[consec]: [taliquip] [psumq] (atcup) CMD (accept) -/USR/SBIN/CRON[llu]: (uptassi) CMD (accept) -/USR/SBIN/CRON[aqui]: [radipis] (isetq) CMD (deny) -August 2 01:43:25 magn2890.api.localhost sshd[eum]: Accepted publickey for sum from 10.175.6.112 port 5509 onev -maintenance[giatq]: [quid] [fug] uatDuis -firepass[veri]: [rsita] [siutaliq] exercit -September 13 22:51:07 Cice513.api.local kernel[doloreeu]: [pori] kernel: Marketing_resource:occ SRC=10.18.220.102 DST=10.230.12.79 obeataev PROTO=ggp SPT=5000 DPT=340 autfu -September 28 05:53:42 aboris2946.api.host mailer[ssitaspe]: [gitsedqu] Failed to send \'uam\' to \'temq\' -October 12 12:56:16 nsequat6875.www.lan EndpointSecurity[llamcorp]: id[ari]: "eataevit - Connected from 10.50.112.141 mqua" -sshd[ptat]: [ore] [etconsec] Accepted publickey for err from 10.61.78.108 port 2398 eci -November 10 03:01:24 ugits4426.mail.corp mailer[ipit]: Failed to send \'idexea\' to \'riat\' -heartbeat[umdolor]: [osquir] info: inim -December 8 17:06:33 tquovol3689.lan GarbageCollection[tatno]: timeout happened. restarting imav services -December 23 00:09:07 turQuisa1567.www5.domain EndpointSecurity[ite]: [ntN] [ciati] id[ercit]: "Connected from 10.243.206.225 mol" -January 6 07:11:41 turveli6399.host kernel[erc]: [taliqu] [temUten] kernel: ccusan -January 20 14:14:16 aveniam1436.www.test Miscellaneous[essequ]: [taevi] [ender] Purge logs: finished. Deleted snulapar logon records -snmp[gni]: [tquiinea] [mquaera] SNMP handler started -February 18 04:19:24 enim2780.www.lan sshd[eriame]: [lorema] [avol] Accepted publickey for labor from 10.0.3.58 port 7224 enb -March 4 11:21:59 ips5153.www5.localdomain GarbageCollection[emporinc]: [untutlab] [tem] apache server is not running. start it -sshd[tessec]: [remipsum] [liq] Accepted publickey for ist from 10.169.144.147 port 2399 nibus -April 2 01:27:07 end1549.mail.localhost kernel[rveli]: [rsint] kernel: Marketing_resource: omm -ntpdate[Nemoeni]: adjust time server 10.196.105.137 offset lup -April 30 15:32:16 lor3224.host mailer[rsitamet]: Failed to send \'lupt\' to \'xea\' -run-crons[luptatev]: admi returned modocons -May 29 05:37:24 abor5821.internal.localhost kernel[eve]: [tatiset] kernel: Marketing_resource:eprehen SRC=10.117.146.33 DST=10.46.158.31 dun PROTO=rdp SPT=703 DPT=3369 rsitam -June 12 12:39:58 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214 -June 26 19:42:33 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem -firepass[rehe]: [ume] Logged out -July 25 09:47:41 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel) -August 8 16:50:15 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc -kernel[olupt]: [modoco] kernel: cdrom: open failed. -September 6 06:55:24 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia -September 20 13:57:58 ici3995.lan EndpointSecurity[vol]: [riat] [taut] id[oreseos]: uames -Miscellaneous[iciatisu]: [rehender] Purge logs: auto started -October 19 04:03:07 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42 -heartbeat[dolo]: [Loremip] [idolor] info: emeumfu -November 16 18:08:15 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio -EndpointSecurity[rumetM]: [equi] id[agnaali]: "gnam - Connected from 10.26.236.35 lumqui" -httpd[rpo]: [uipe] [inesci] scr_monitor: serror -ntpd[apariat]: kernel time sync status tlabore -January 12 22:18:32 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny) -snmp[ationemu]: [ice] estiae -February 10 12:23:41 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect -maintenance[etconse]: [tincu] ari -March 11 02:28:49 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp -Miscellaneous[emoe]: [eaq] Purge logs: not started. Next purge scheduled time amest is not exceeded -EndpointSecurity[rehender]: [iae] id[dantiumt]: "luptasn - Connected from 10.164.6.207 olestiae" -/USR/SBIN/CRON[ihilmole]: [eriamea] (amre) CMD (allow) -May 7 06:39:06 pisciv7108.lan mailer[boris]: [nti] [abi] Failed to send \'sectetur\' to \'uioffi\' -May 21 13:41:41 temqu3331.api.host mailer[ipi]: Failed to send \'reseos\' to \'pariatu\' -June 4 20:44:15 tenima5685.internal.example heartbeat[eabilloi]: [estia] [tper] info: olor -June 19 03:46:49 orem2138.internal.lan run-crons[fdeFi]: texp returned tasuntex -/USR/SBIN/CRON[sequine]: [ectio] [dutper] (lamcolab) CMD (deny) -run-crons: returned gel -August 1 00:54:32 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate -August 15 07:57:06 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started -mailer[itatione]: [isnis] [uptasn] Failed to send \'reme\' to \'acommod\' -mailer[udantium]: Failed to send \'pre\' to \'xeacom\' -httpd[dictasu]: [lorinre] scr_monitor: olorsita -ntpdate[inculpa]: [abo] adjust time server 10.105.76.230 offset aliquide -October 25 19:09:57 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc -ntpd[aturQui]: frequency initialized utlabor PPM from rau -firepass[nisi]: [dant] shutting down for system reboot -AppTunnel[tinvolu]: < Error - Invalid session id -December 21 23:20:14 quidolor5025.home run-crons: returned rem -run-crons[idolor]: [uisau] [eleum] sintoc returned volupt -heartbeat[uiinea]: info: Utenima -February 2 20:27:57 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese -February 17 03:30:32 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc -kernel: ionofdeF -March 17 17:35:40 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte -AppTunnel[aper]: [santiumd] [turadip] < Error - Invalid session id -/USR/SBIN/CRON[nci]: [tev] [saute] (ntocca) CMD (deny) -April 29 14:43:23 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980 -heartbeat[exe]: [imadmini] [sauteiru] info: mod -/USR/SBIN/CRON[ataevi]: [com] (tnulapa) CMD (deny) -httpd[eriti]: [litessec] scr_monitor: itas -June 25 18:53:40 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor -July 10 01:56:14 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host -mailer[untut]: [uamni] Failed to send \'ctet\' to \'ati\' -August 7 16:01:23 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist -August 21 23:03:57 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel) -kernel[ncidi]: [eeufugia] [evit] kernel: PPP runtm -September 19 13:09:05 velitse543.api.example heartbeat[torever]: info: oremi -October 3 20:11:40 temUt631.www5.example heartbeat[npr]: info: mquelau -October 18 03:14:14 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo -November 1 10:16:48 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account -heartbeat[iduntu]: [idestlab] info: rnatur -run-crons[essequam]: acommo returned nturma -December 14 07:24:31 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json deleted file mode 100644 index e783667b492..00000000000 --- a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json +++ /dev/null @@ -1,2321 +0,0 @@ -[ - { - "destination.ip": [ - "10.232.59.7" - ], - "event.code": "ntpdate", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "January 29 06:09:59 avolupt1396.www.invalid ntpdate[nto]: adjust time server 10.232.59.7 offset tur", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 0, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.232.59.7" - ], - "rsa.internal.messageid": "ntpdate", - "rsa.time.duration_str": "tur", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "ntpd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "February 12 13:12:33 aliqu5634.api.host ntpd[eni]: [vento] [ehend] Listening on interface lo4377, 10.58.254.89#4819", - "fileset.name": "firepass", - "host.ip": "10.58.254.89", - "input.type": "log", - "log.offset": 100, - "network.interface.name": "lo4377", - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.58.254.89" - ], - "rsa.internal.messageid": "ntpd", - "rsa.network.interface": "lo4377", - "rsa.network.network_port": 4819, - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "sshd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "February 26 20:15:08 mqui5286.mail.home sshd[litesse]: [orev] [pisciv] Accepted publickey for uii from 10.36.11.87 port 1803 doeiu", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 216, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.36.11.87" - ], - "related.user": [ - "uii" - ], - "rsa.internal.messageid": "sshd", - "service.type": "f5", - "source.ip": [ - "10.36.11.87" - ], - "source.port": 1803, - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "uii" - }, - { - "event.code": "firepass", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "firepass[eporr]: [quipexe] [alo] FirePass service stopped on eosquir5191.www.example", - "fileset.name": "firepass", - "host.name": "eosquir5191.www.example", - "input.type": "log", - "log.offset": 347, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "quipexe" - ], - "rsa.internal.messageid": "firepass", - "rsa.investigations.ec_activity": "Stop", - "rsa.investigations.ec_subject": "Service", - "rsa.network.alias_host": [ - "eosquir5191.www.example" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "quipexe" - }, - { - "destination.ip": [ - "10.194.156.105" - ], - "event.code": "NetworkAccess", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "NetworkAccess[ctetur]: [uidolor] < Open Network Access Connection using remote IP address 10.194.156.105", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 432, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.194.156.105" - ], - "related.user": [ - "uidolor" - ], - "rsa.internal.messageid": "NetworkAccess", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.log_session_id": "nibus", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "uidolor" - }, - { - "event.code": "EndpointSecurity", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "April 9 17:22:51 itamet3338.mail.host EndpointSecurity[squame]: [ntex] [eius] id[luptat]: emape", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 544, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "emape", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "GarbageCollection", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "GarbageCollection[nse]: [eumiu] [uame] no servers defined for Radius Accounting", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 640, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "GarbageCollection", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "May 8 07:27:59 orisn6294.www.lan heartbeat[ofdeF]: [metcons] info: roinBCS", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 720, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "roinBCS", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "firepass", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "May 22 14:30:33 eataevi4044.mail.localhost firepass[ptas]: [nevolu] equat", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 795, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "equat", - "rsa.internal.messageid": "firepass", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "EndpointSecurity", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "June 5 21:33:08 ofdeFin3587.www.domain EndpointSecurity[exe]: [iatu] id[ionofde]: \"con - Connected from 10.38.189.242 ommodic\"", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 869, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.38.189.242" - ], - "rsa.db.index": "ommodic", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "source.ip": [ - "10.38.189.242" - ], - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.action": "accept", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "/USR/SBIN/CRON[consec]: [taliquip] [psumq] (atcup) CMD (accept)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 996, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "atcup" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "accept" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "atcup" - }, - { - "event.action": "accept", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "/USR/SBIN/CRON[llu]: (uptassi) CMD (accept)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1060, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "uptassi" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "accept" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "uptassi" - }, - { - "event.action": "deny", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "/USR/SBIN/CRON[aqui]: [radipis] (isetq) CMD (deny)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1104, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "isetq" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "deny" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "isetq" - }, - { - "event.code": "sshd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "August 2 01:43:25 magn2890.api.localhost sshd[eum]: Accepted publickey for sum from 10.175.6.112 port 5509 onev", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1155, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.175.6.112" - ], - "related.user": [ - "sum" - ], - "rsa.internal.messageid": "sshd", - "service.type": "f5", - "source.ip": [ - "10.175.6.112" - ], - "source.port": 5509, - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "sum" - }, - { - "event.code": "maintenance", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "maintenance[giatq]: [quid] [fug] uatDuis", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1267, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "quid" - ], - "rsa.db.index": "uatDuis", - "rsa.internal.messageid": "maintenance", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "quid" - }, - { - "event.code": "firepass", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "firepass[veri]: [rsita] [siutaliq] exercit", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1308, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "exercit", - "rsa.internal.messageid": "firepass", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "destination.ip": [ - "10.230.12.79" - ], - "destination.port": 340, - "event.code": "kernel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "September 13 22:51:07 Cice513.api.local kernel[doloreeu]: [pori] kernel: Marketing_resource:occ SRC=10.18.220.102 DST=10.230.12.79 obeataev PROTO=ggp SPT=5000 DPT=340 autfu", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1351, - "network.protocol": "ggp", - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.18.220.102", - "10.230.12.79" - ], - "rsa.db.index": "obeataev", - "rsa.internal.messageid": "kernel", - "service.type": "f5", - "source.ip": [ - "10.18.220.102" - ], - "source.port": 5000, - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "mailer", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "September 28 05:53:42 aboris2946.api.host mailer[ssitaspe]: [gitsedqu] Failed to send \\'uam\\' to \\'temq\\'", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1524, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.email.email_dst": "temq", - "rsa.email.subject": "uam", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "EndpointSecurity", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "October 12 12:56:16 nsequat6875.www.lan EndpointSecurity[llamcorp]: id[ari]: \"eataevit - Connected from 10.50.112.141 mqua\"", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1630, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.50.112.141" - ], - "rsa.db.index": "mqua", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "source.ip": [ - "10.50.112.141" - ], - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "sshd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "sshd[ptat]: [ore] [etconsec] Accepted publickey for err from 10.61.78.108 port 2398 eci", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1754, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.61.78.108" - ], - "related.user": [ - "err" - ], - "rsa.internal.messageid": "sshd", - "service.type": "f5", - "source.ip": [ - "10.61.78.108" - ], - "source.port": 2398, - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "err" - }, - { - "event.code": "mailer", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "November 10 03:01:24 ugits4426.mail.corp mailer[ipit]: Failed to send \\'idexea\\' to \\'riat\\'", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1842, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.email.email_dst": "riat", - "rsa.email.subject": "idexea", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "heartbeat[umdolor]: [osquir] info: inim", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1935, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "inim", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "GarbageCollection", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "December 8 17:06:33 tquovol3689.lan GarbageCollection[tatno]: timeout happened. restarting imav services", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 1975, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "timeout happened. restarting services", - "rsa.internal.messageid": "GarbageCollection", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "EndpointSecurity", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "December 23 00:09:07 turQuisa1567.www5.domain EndpointSecurity[ite]: [ntN] [ciati] id[ercit]: \"Connected from 10.243.206.225 mol\"", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2080, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.243.206.225" - ], - "rsa.db.index": "mol", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "source.ip": [ - "10.243.206.225" - ], - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "kernel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "January 6 07:11:41 turveli6399.host kernel[erc]: [taliqu] [temUten] kernel: ccusan", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2210, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "ccusan", - "rsa.internal.messageid": "kernel", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "Miscellaneous", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "January 20 14:14:16 aveniam1436.www.test Miscellaneous[essequ]: [taevi] [ender] Purge logs: finished. Deleted snulapar logon records", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2293, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "taevi" - ], - "rsa.internal.messageid": "Miscellaneous", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "taevi" - }, - { - "event.action": "started", - "event.code": "snmp", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "snmp[gni]: [tquiinea] [mquaera] SNMP handler started", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2426, - "network.protocol": "SNMP", - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "SNMP handler started", - "rsa.internal.messageid": "snmp", - "rsa.misc.action": [ - "started" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "sshd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "February 18 04:19:24 enim2780.www.lan sshd[eriame]: [lorema] [avol] Accepted publickey for labor from 10.0.3.58 port 7224 enb", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2479, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.0.3.58" - ], - "related.user": [ - "labor" - ], - "rsa.internal.messageid": "sshd", - "service.type": "f5", - "source.ip": [ - "10.0.3.58" - ], - "source.port": 7224, - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "labor" - }, - { - "event.code": "GarbageCollection", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "March 4 11:21:59 ips5153.www5.localdomain GarbageCollection[emporinc]: [untutlab] [tem] apache server is not running. start it", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2605, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "GarbageCollection", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "sshd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "sshd[tessec]: [remipsum] [liq] Accepted publickey for ist from 10.169.144.147 port 2399 nibus", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2732, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.169.144.147" - ], - "related.user": [ - "ist" - ], - "rsa.internal.messageid": "sshd", - "service.type": "f5", - "source.ip": [ - "10.169.144.147" - ], - "source.port": 2399, - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "ist" - }, - { - "event.code": "kernel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "April 2 01:27:07 end1549.mail.localhost kernel[rveli]: [rsint] kernel: Marketing_resource: omm", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2826, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "omm", - "rsa.internal.messageid": "kernel", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "destination.ip": [ - "10.196.105.137" - ], - "event.code": "ntpdate", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "ntpdate[Nemoeni]: adjust time server 10.196.105.137 offset lup", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2921, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.196.105.137" - ], - "rsa.internal.messageid": "ntpdate", - "rsa.time.duration_str": "lup", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "mailer", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "April 30 15:32:16 lor3224.host mailer[rsitamet]: Failed to send \\'lupt\\' to \\'xea\\'", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 2984, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.email.email_dst": "xea", - "rsa.email.subject": "lupt", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "run-crons", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "run-crons[luptatev]: admi returned modocons", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3068, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "modocons", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "destination.ip": [ - "10.46.158.31" - ], - "destination.port": 3369, - "event.code": "kernel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "May 29 05:37:24 abor5821.internal.localhost kernel[eve]: [tatiset] kernel: Marketing_resource:eprehen SRC=10.117.146.33 DST=10.46.158.31 dun PROTO=rdp SPT=703 DPT=3369 rsitam", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3112, - "network.protocol": "rdp", - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.117.146.33", - "10.46.158.31" - ], - "rsa.db.index": "dun", - "rsa.internal.messageid": "kernel", - "service.type": "f5", - "source.ip": [ - "10.117.146.33" - ], - "source.port": 703, - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.action": "block", - "event.code": "security", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "June 12 12:39:58 onproide4203.api.example security[pitla]: User [block] logon from 10.196.136.214", - "event.outcome": "unknown", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3287, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.196.136.214" - ], - "rsa.internal.messageid": "security", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Error", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Authentication", - "rsa.misc.action": [ - "block" - ], - "service.type": "f5", - "source.ip": [ - "10.196.136.214" - ], - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "maintenance", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "June 26 19:42:33 agna7678.internal.host maintenance[equa]: [mexercit] Logged out Sid = dtem", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3385, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "mexercit" - ], - "rsa.internal.messageid": "maintenance", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.log_session_id": "dtem", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "mexercit" - }, - { - "event.code": "firepass", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "firepass[rehe]: [ume] Logged out", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3477, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "ume" - ], - "rsa.internal.messageid": "firepass", - "rsa.investigations.ec_activity": "Logoff", - "rsa.investigations.ec_subject": "User", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "ume" - }, - { - "event.action": "cancel", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "July 25 09:47:41 picia6119.mail.host /USR/SBIN/CRON[dit]: [sumquiad] (dexeaco) CMD (cancel)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3510, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "dexeaco" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "cancel" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "dexeaco" - }, - { - "event.code": "snmp", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "August 8 16:50:15 inima5444.www5.lan snmp[nihi]: [Lor] [itecto] erc", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3602, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "erc", - "rsa.internal.messageid": "snmp", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "kernel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "kernel[olupt]: [modoco] kernel: cdrom: open failed.", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3670, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "kernel", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "EndpointSecurity", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "September 6 06:55:24 imadmi5494.www.corp EndpointSecurity[eataev]: id[liquide]: uasia", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3722, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "uasia", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "EndpointSecurity", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "September 20 13:57:58 ici3995.lan EndpointSecurity[vol]: [riat] [taut] id[oreseos]: uames", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3808, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "uames", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "Miscellaneous", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "Miscellaneous[iciatisu]: [rehender] Purge logs: auto started", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3898, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "rehender" - ], - "rsa.internal.messageid": "Miscellaneous", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "rehender" - }, - { - "destination.ip": [ - "10.192.18.42" - ], - "event.code": "NetworkAccess", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "October 19 04:03:07 hil4828.domain NetworkAccess[iineavo]: [equatD] < Open Network Access Connection using remote IP address 10.192.18.42", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 3959, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.192.18.42" - ], - "related.user": [ - "equatD" - ], - "rsa.internal.messageid": "NetworkAccess", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.log_session_id": "isno", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "equatD" - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "heartbeat[dolo]: [Loremip] [idolor] info: emeumfu", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4103, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "emeumfu", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "sshd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "November 16 18:08:15 psaquae7432.www.localdomain sshd[mporain]: [icons] Accepted publickey for amvolup from 10.86.63.253 port 2133 tio", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4153, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.86.63.253" - ], - "related.user": [ - "amvolup" - ], - "rsa.internal.messageid": "sshd", - "service.type": "f5", - "source.ip": [ - "10.86.63.253" - ], - "source.port": 2133, - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "amvolup" - }, - { - "event.code": "EndpointSecurity", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "EndpointSecurity[rumetM]: [equi] id[agnaali]: \"gnam - Connected from 10.26.236.35 lumqui\"", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4288, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.26.236.35" - ], - "rsa.db.index": "lumqui", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "source.ip": [ - "10.26.236.35" - ], - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "httpd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "httpd[rpo]: [uipe] [inesci] scr_monitor: serror", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4378, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "uipe" - ], - "rsa.internal.messageid": "httpd", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "uipe" - }, - { - "event.code": "ntpd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "ntpd[apariat]: kernel time sync status tlabore", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4426, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "ntpd", - "rsa.misc.result_code": "tlabore", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.action": "deny", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "January 12 22:18:32 orev4810.api.localhost /USR/SBIN/CRON[samvolu]: [ittenbyC] (isc) CMD (deny)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4473, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "isc" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "deny" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "isc" - }, - { - "event.code": "snmp", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "snmp[ationemu]: [ice] estiae", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4569, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "estiae", - "rsa.internal.messageid": "snmp", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "destination.ip": [ - "10.170.148.40" - ], - "event.code": "ntpdate", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "February 10 12:23:41 iquipex4443.internal.home ntpdate[wri]: adjust time server 10.170.148.40 offset hitect", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4598, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.170.148.40" - ], - "rsa.internal.messageid": "ntpdate", - "rsa.time.duration_str": "hitect", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "maintenance", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "maintenance[etconse]: [tincu] ari", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4706, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "tincu" - ], - "rsa.db.index": "ari", - "rsa.internal.messageid": "maintenance", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "tincu" - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "March 11 02:28:49 sci5488.test heartbeat[occae]: [ctetura] [labore] info: texp", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4740, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "texp", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "Miscellaneous", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "Miscellaneous[emoe]: [eaq] Purge logs: not started. Next purge scheduled time amest is not exceeded", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4819, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "eaq" - ], - "rsa.internal.messageid": "Miscellaneous", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "eaq" - }, - { - "event.code": "EndpointSecurity", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "EndpointSecurity[rehender]: [iae] id[dantiumt]: \"luptasn - Connected from 10.164.6.207 olestiae\"", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 4919, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.164.6.207" - ], - "rsa.db.index": "olestiae", - "rsa.internal.messageid": "EndpointSecurity", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "source.ip": [ - "10.164.6.207" - ], - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.action": "allow", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "/USR/SBIN/CRON[ihilmole]: [eriamea] (amre) CMD (allow)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5016, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "amre" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "allow" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "amre" - }, - { - "event.code": "mailer", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "May 7 06:39:06 pisciv7108.lan mailer[boris]: [nti] [abi] Failed to send \\'sectetur\\' to \\'uioffi\\'", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5071, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.email.email_dst": "uioffi", - "rsa.email.subject": "sectetur", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "mailer", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "May 21 13:41:41 temqu3331.api.host mailer[ipi]: Failed to send \\'reseos\\' to \\'pariatu\\'", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5170, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.email.email_dst": "pariatu", - "rsa.email.subject": "reseos", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "June 4 20:44:15 tenima5685.internal.example heartbeat[eabilloi]: [estia] [tper] info: olor", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5259, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "olor", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "run-crons", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "June 19 03:46:49 orem2138.internal.lan run-crons[fdeFi]: texp returned tasuntex", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5350, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "tasuntex", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.action": "deny", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "/USR/SBIN/CRON[sequine]: [ectio] [dutper] (lamcolab) CMD (deny)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5430, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "lamcolab" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "deny" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "lamcolab" - }, - { - "event.code": "run-crons", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "run-crons: returned gel", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5494, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "gel", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "August 1 00:54:32 ris3314.mail.invalid heartbeat[liqui]: [quioffi] info: uptate", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5519, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "uptate", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "Miscellaneous", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "August 15 07:57:06 uamei2493.www.test Miscellaneous[ate]: [aliquam] Purge logs: auto started", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5599, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "aliquam" - ], - "rsa.internal.messageid": "Miscellaneous", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "aliquam" - }, - { - "event.code": "mailer", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "mailer[itatione]: [isnis] [uptasn] Failed to send \\'reme\\' to \\'acommod\\'", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5692, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.email.email_dst": "acommod", - "rsa.email.subject": "reme", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "mailer", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "mailer[udantium]: Failed to send \\'pre\\' to \\'xeacom\\'", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5766, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.email.email_dst": "xeacom", - "rsa.email.subject": "pre", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "httpd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "httpd[dictasu]: [lorinre] scr_monitor: olorsita", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5821, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "lorinre" - ], - "rsa.internal.messageid": "httpd", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "lorinre" - }, - { - "destination.ip": [ - "10.105.76.230" - ], - "event.code": "ntpdate", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "ntpdate[inculpa]: [abo] adjust time server 10.105.76.230 offset aliquide", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5869, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.105.76.230" - ], - "rsa.internal.messageid": "ntpdate", - "rsa.time.duration_str": "aliquide", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "run-crons", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "October 25 19:09:57 maven3758.www.invalid run-crons[labor]: [didunt] uptatema returned intocc", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 5942, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "intocc", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "ntpd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "ntpd[aturQui]: frequency initialized utlabor PPM from rau", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6036, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "ntpd", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "firepass", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "firepass[nisi]: [dant] shutting down for system reboot", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6094, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.event_desc": "shutting down for system reboot", - "rsa.internal.messageid": "firepass", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "AppTunnel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "AppTunnel[tinvolu]: < Error - Invalid session id", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6149, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "AppTunnel", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.log_session_id": "iurer", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "run-crons", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "December 21 23:20:14 quidolor5025.home run-crons: returned rem", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6205, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "rem", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "run-crons", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "run-crons[idolor]: [uisau] [eleum] sintoc returned volupt", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6269, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "volupt", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "heartbeat[uiinea]: info: Utenima", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6327, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "Utenima", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "destination.ip": [ - "10.25.52.65" - ], - "event.code": "ntpdate", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "February 2 20:27:57 oinBC6161.api.local ntpdate[spi]: [stquido] adjust time server 10.25.52.65 offset ese", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6360, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.25.52.65" - ], - "rsa.internal.messageid": "ntpdate", - "rsa.time.duration_str": "ese", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "February 17 03:30:32 ptatemq95.api.host heartbeat[Nequepo]: [ipsumd] info: ntocc", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6466, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "ntocc", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "kernel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "kernel: ionofdeF", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6547, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "ionofdeF", - "rsa.internal.messageid": "kernel", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "ntpd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "March 17 17:35:40 etcons7378.api.lan ntpd[ate]: [uiac] precision = epte", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6564, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "ntpd", - "rsa.time.duration_str": "epte", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "AppTunnel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "AppTunnel[aper]: [santiumd] [turadip] < Error - Invalid session id", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6636, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "AppTunnel", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.log_session_id": "uatD", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.action": "deny", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "/USR/SBIN/CRON[nci]: [tev] [saute] (ntocca) CMD (deny)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6709, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "ntocca" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "deny" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "ntocca" - }, - { - "event.code": "maintenance", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "April 29 14:43:23 ntN6179.test maintenance[qui]: [ntmollit] [tenatus] Trying connect to cipitlab on ipsumd6116.local:6980", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6764, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "ntmollit" - ], - "rsa.internal.messageid": "maintenance", - "rsa.network.network_port": 6980, - "rsa.web.fqdn": "ipsumd6116.local", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "ntmollit" - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "heartbeat[exe]: [imadmini] [sauteiru] info: mod", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6886, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "mod", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.action": "deny", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "/USR/SBIN/CRON[ataevi]: [com] (tnulapa) CMD (deny)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6934, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "tnulapa" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "deny" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "tnulapa" - }, - { - "event.code": "httpd", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "httpd[eriti]: [litessec] scr_monitor: itas", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 6985, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "litessec" - ], - "rsa.internal.messageid": "httpd", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "litessec" - }, - { - "destination.ip": [ - "10.186.101.163" - ], - "event.code": "ntpdate", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "June 25 18:53:40 roid6604.www.test ntpdate[Nemoenim]: [squirati] [Sedutp] adjust time server 10.186.101.163 offset utlabor", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7028, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.186.101.163" - ], - "rsa.internal.messageid": "ntpdate", - "rsa.time.duration_str": "utlabor", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "firepass", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "July 10 01:56:14 lup2134.www.localhost firepass[upida]: [tvolupt] FirePass service started on eufugi2923.internal.host", - "fileset.name": "firepass", - "host.name": "eufugi2923.internal.host", - "input.type": "log", - "log.offset": 7151, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "tvolupt" - ], - "rsa.internal.messageid": "firepass", - "rsa.investigations.ec_activity": "Start", - "rsa.investigations.ec_subject": "Service", - "rsa.network.alias_host": [ - "eufugi2923.internal.host" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "tvolupt" - }, - { - "event.code": "mailer", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "mailer[untut]: [uamni] Failed to send \\'ctet\\' to \\'ati\\'", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7270, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.email.email_dst": "ati", - "rsa.email.subject": "ctet", - "rsa.internal.messageid": "mailer", - "rsa.investigations.ec_activity": "Send", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "Message", - "rsa.investigations.ec_theme": "Communication", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "NetworkAccess", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "August 7 16:01:23 archite2217.test NetworkAccess[psumquia]: [ven] < Error - nisist", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7328, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "ven" - ], - "rsa.db.index": "nisist", - "rsa.internal.messageid": "NetworkAccess", - "rsa.investigations.ec_subject": "NetworkComm", - "rsa.investigations.ec_theme": "Communication", - "rsa.misc.log_session_id": "con", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "ven" - }, - { - "event.action": "cancel", - "event.code": "/USR/SBIN/CRON", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "August 21 23:03:57 msequi5808.mail.test /USR/SBIN/CRON[ptasnu]: [rQu] [oremeu] (laudant) CMD (cancel)", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7416, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "laudant" - ], - "rsa.internal.messageid": "/USR/SBIN/CRON", - "rsa.misc.action": [ - "cancel" - ], - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "laudant" - }, - { - "event.code": "kernel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "kernel[ncidi]: [eeufugia] [evit] kernel: PPP runtm", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7518, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "runtm", - "rsa.internal.messageid": "kernel", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "September 19 13:09:05 velitse543.api.example heartbeat[torever]: info: oremi", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7569, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "oremi", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "October 3 20:11:40 temUt631.www5.example heartbeat[npr]: info: mquelau", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7646, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "mquelau", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "run-crons", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "October 18 03:14:14 amcol5625.internal.host run-crons[gitsed]: [tqu] [reprehen] trumexer returned idolo", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7717, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "idolo", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "security", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "November 1 10:16:48 atisun6373.mail.localhost security[dmin]: Non-administrator account fugi attempted to access admin account", - "event.outcome": "failure", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7821, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.user": [ - "fugi" - ], - "rsa.internal.messageid": "security", - "rsa.investigations.ec_activity": "Logon", - "rsa.investigations.ec_outcome": "Failure", - "rsa.investigations.ec_subject": "User", - "rsa.investigations.ec_theme": "Policy", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ], - "user.name": "fugi" - }, - { - "event.code": "heartbeat", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "heartbeat[iduntu]: [idestlab] info: rnatur", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7948, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.db.index": "rnatur", - "rsa.internal.messageid": "heartbeat", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "event.code": "run-crons", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "run-crons[essequam]: acommo returned nturma", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 7991, - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "rsa.internal.messageid": "run-crons", - "rsa.misc.result_code": "nturma", - "service.type": "f5", - "tags": [ - "f5.firepass", - "forwarded" - ] - }, - { - "destination.ip": [ - "10.225.181.30" - ], - "destination.port": 5390, - "event.code": "kernel", - "event.dataset": "f5.firepass", - "event.module": "f5", - "event.original": "December 14 07:24:31 atemq7682.internal.localhost kernel[reetdol]: [totamre] [isnostr] kernel: GlobalFilter:umqu SRC=10.65.175.9 DST=10.225.181.30 uia PROTO=udp SPT=4412 DPT=5390 siut", - "fileset.name": "firepass", - "input.type": "log", - "log.offset": 8035, - "network.protocol": "udp", - "observer.product": "FirePass", - "observer.type": "VPN", - "observer.vendor": "F5", - "related.ip": [ - "10.65.175.9", - "10.225.181.30" - ], - "rsa.db.index": "uia", - "rsa.internal.messageid": "kernel", - "service.type": "f5", - "source.ip": [ - "10.65.175.9" - ], - "source.port": 4412, - "tags": [ - "f5.firepass", - "forwarded" - ] - } -] \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/_meta/fields.yml b/x-pack/filebeat/module/fortinet/_meta/fields.yml index 21a001384ef..6cfa7a7a609 100644 --- a/x-pack/filebeat/module/fortinet/_meta/fields.yml +++ b/x-pack/filebeat/module/fortinet/_meta/fields.yml @@ -3,12 +3,3 @@ description: > fortinet Module fields: - - name: fortinet - type: group - description: > - Fields from fortinet FortiOS - fields: - - name: file.hash.crc32 - type: keyword - description: > - CRC32 Hash of file \ No newline at end of file diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index e2670bf5b87..3b9dc0716ec 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -186,8 +186,8 @@ "observer.vendor": "Fortinet", "process.pid": 5712, "related.ip": [ - "10.134.137.177", - "10.202.204.154" + "10.202.204.154", + "10.134.137.177" ], "related.user": [ "orsitame" @@ -241,8 +241,8 @@ "observer.vendor": "Fortinet", "process.pid": 6557, "related.ip": [ - "10.245.142.250", - "10.70.0.60" + "10.70.0.60", + "10.245.142.250" ], "related.user": [ "eos" @@ -296,8 +296,8 @@ "observer.vendor": "Fortinet", "process.pid": 2061, "related.ip": [ - "10.200.188.142", - "10.202.72.124" + "10.202.72.124", + "10.200.188.142" ], "related.user": [ "iusmodt" @@ -406,8 +406,8 @@ "observer.vendor": "Fortinet", "process.pid": 5037, "related.ip": [ - "10.66.108.11", - "10.198.136.50" + "10.198.136.50", + "10.66.108.11" ], "related.user": [ "uptatev" @@ -461,8 +461,8 @@ "observer.vendor": "Fortinet", "process.pid": 776, "related.ip": [ - "10.178.244.31", - "10.69.20.77" + "10.69.20.77", + "10.178.244.31" ], "related.user": [ "umdolor" @@ -626,8 +626,8 @@ "observer.vendor": "Fortinet", "process.pid": 2703, "related.ip": [ - "10.57.40.29", - "10.210.213.18" + "10.210.213.18", + "10.57.40.29" ], "related.user": [ "onse" @@ -736,8 +736,8 @@ "observer.vendor": "Fortinet", "process.pid": 7668, "related.ip": [ - "10.72.58.135", - "10.109.232.112" + "10.109.232.112", + "10.72.58.135" ], "related.user": [ "xea" @@ -846,8 +846,8 @@ "observer.vendor": "Fortinet", "process.pid": 7183, "related.ip": [ - "10.76.72.111", - "10.70.95.74" + "10.70.95.74", + "10.76.72.111" ], "related.user": [ "ivelits" @@ -901,8 +901,8 @@ "observer.vendor": "Fortinet", "process.pid": 6907, "related.ip": [ - "10.19.201.13", - "10.73.69.75" + "10.73.69.75", + "10.19.201.13" ], "related.user": [ "tat" @@ -1011,8 +1011,8 @@ "observer.vendor": "Fortinet", "process.pid": 1531, "related.ip": [ - "10.135.233.146", - "10.25.192.202" + "10.25.192.202", + "10.135.233.146" ], "related.user": [ "emeumfu" @@ -1066,8 +1066,8 @@ "observer.vendor": "Fortinet", "process.pid": 6051, "related.ip": [ - "10.104.134.200", - "10.121.219.204" + "10.121.219.204", + "10.104.134.200" ], "related.user": [ "uptat" @@ -1176,8 +1176,8 @@ "observer.vendor": "Fortinet", "process.pid": 5200, "related.ip": [ - "10.161.57.8", - "10.141.44.153" + "10.141.44.153", + "10.161.57.8" ], "related.user": [ "quisnos" @@ -1231,8 +1231,8 @@ "observer.vendor": "Fortinet", "process.pid": 3365, "related.ip": [ - "10.6.167.7", - "10.153.111.103" + "10.153.111.103", + "10.6.167.7" ], "related.user": [ "eumfug" @@ -1286,8 +1286,8 @@ "observer.vendor": "Fortinet", "process.pid": 1835, "related.ip": [ - "10.134.148.219", - "10.248.204.182" + "10.248.204.182", + "10.134.148.219" ], "related.user": [ "uioffi" @@ -1506,8 +1506,8 @@ "observer.vendor": "Fortinet", "process.pid": 2328, "related.ip": [ - "10.168.90.81", - "10.101.57.120" + "10.101.57.120", + "10.168.90.81" ], "related.user": [ "eporr" @@ -1561,8 +1561,8 @@ "observer.vendor": "Fortinet", "process.pid": 1156, "related.ip": [ - "10.14.211.43", - "10.130.14.60" + "10.130.14.60", + "10.14.211.43" ], "related.user": [ "litse" @@ -1616,8 +1616,8 @@ "observer.vendor": "Fortinet", "process.pid": 6003, "related.ip": [ - "10.60.129.15", - "10.248.101.25" + "10.248.101.25", + "10.60.129.15" ], "related.user": [ "evolup" @@ -1781,8 +1781,8 @@ "observer.vendor": "Fortinet", "process.pid": 6932, "related.ip": [ - "10.75.99.127", - "10.195.2.130" + "10.195.2.130", + "10.75.99.127" ], "related.user": [ "inibusB" @@ -1836,8 +1836,8 @@ "observer.vendor": "Fortinet", "process.pid": 6945, "related.ip": [ - "10.245.104.182", - "10.201.238.90" + "10.201.238.90", + "10.245.104.182" ], "related.user": [ "ovol" @@ -1946,8 +1946,8 @@ "observer.vendor": "Fortinet", "process.pid": 4153, "related.ip": [ - "10.184.18.202", - "10.4.157.1" + "10.4.157.1", + "10.184.18.202" ], "related.user": [ "oditem" @@ -2001,8 +2001,8 @@ "observer.vendor": "Fortinet", "process.pid": 1693, "related.ip": [ - "10.113.95.59", - "10.255.39.252" + "10.255.39.252", + "10.113.95.59" ], "related.user": [ "persp" @@ -2221,8 +2221,8 @@ "observer.vendor": "Fortinet", "process.pid": 55, "related.ip": [ - "10.9.12.248", - "10.9.18.237" + "10.9.18.237", + "10.9.12.248" ], "related.user": [ "uradi" @@ -2276,8 +2276,8 @@ "observer.vendor": "Fortinet", "process.pid": 228, "related.ip": [ - "10.41.123.102", - "10.83.130.226" + "10.83.130.226", + "10.41.123.102" ], "related.user": [ "tenim" @@ -2331,8 +2331,8 @@ "observer.vendor": "Fortinet", "process.pid": 4253, "related.ip": [ - "10.175.112.197", - "10.80.152.108" + "10.80.152.108", + "10.175.112.197" ], "related.user": [ "tametcon" @@ -2386,8 +2386,8 @@ "observer.vendor": "Fortinet", "process.pid": 2200, "related.ip": [ - "10.142.25.100", - "10.134.18.114" + "10.134.18.114", + "10.142.25.100" ], "related.user": [ "osqui" @@ -2991,8 +2991,8 @@ "observer.vendor": "Fortinet", "process.pid": 276, "related.ip": [ - "10.50.233.155", - "10.60.142.127" + "10.60.142.127", + "10.50.233.155" ], "related.user": [ "atv" @@ -3101,8 +3101,8 @@ "observer.vendor": "Fortinet", "process.pid": 3453, "related.ip": [ - "10.6.38.163", - "10.31.237.225" + "10.31.237.225", + "10.6.38.163" ], "related.user": [ "olup" @@ -3156,8 +3156,8 @@ "observer.vendor": "Fortinet", "process.pid": 2302, "related.ip": [ - "10.226.5.189", - "10.125.165.144" + "10.125.165.144", + "10.226.5.189" ], "related.user": [ "mvolu" @@ -3321,8 +3321,8 @@ "observer.vendor": "Fortinet", "process.pid": 1586, "related.ip": [ - "10.123.199.198", - "10.17.87.79" + "10.17.87.79", + "10.123.199.198" ], "related.user": [ "ratvolu" @@ -3376,8 +3376,8 @@ "observer.vendor": "Fortinet", "process.pid": 5137, "related.ip": [ - "10.38.86.177", - "10.115.68.40" + "10.115.68.40", + "10.38.86.177" ], "related.user": [ "mpo" @@ -3541,8 +3541,8 @@ "observer.vendor": "Fortinet", "process.pid": 5398, "related.ip": [ - "10.1.96.93", - "10.54.73.158" + "10.54.73.158", + "10.1.96.93" ], "related.user": [ "lloinven" @@ -3651,8 +3651,8 @@ "observer.vendor": "Fortinet", "process.pid": 6064, "related.ip": [ - "10.77.229.168", - "10.181.247.224" + "10.181.247.224", + "10.77.229.168" ], "related.user": [ "adol" @@ -3871,8 +3871,8 @@ "observer.vendor": "Fortinet", "process.pid": 4984, "related.ip": [ - "10.77.78.180", - "10.97.236.123" + "10.97.236.123", + "10.77.78.180" ], "related.user": [ "nisi" @@ -4256,8 +4256,8 @@ "observer.vendor": "Fortinet", "process.pid": 7128, "related.ip": [ - "10.76.125.70", - "10.54.23.133" + "10.54.23.133", + "10.76.125.70" ], "related.user": [ "oloreeu" @@ -4311,8 +4311,8 @@ "observer.vendor": "Fortinet", "process.pid": 2780, "related.ip": [ - "10.189.42.62", - "10.36.110.69" + "10.36.110.69", + "10.189.42.62" ], "related.user": [ "eque" @@ -4366,8 +4366,8 @@ "observer.vendor": "Fortinet", "process.pid": 3284, "related.ip": [ - "10.183.202.82", - "10.47.179.68" + "10.47.179.68", + "10.183.202.82" ], "related.user": [ "umfugi" @@ -4531,8 +4531,8 @@ "observer.vendor": "Fortinet", "process.pid": 3990, "related.ip": [ - "10.30.246.132", - "10.208.18.210" + "10.208.18.210", + "10.30.246.132" ], "related.user": [ "veniam" @@ -4586,8 +4586,8 @@ "observer.vendor": "Fortinet", "process.pid": 4337, "related.ip": [ - "10.106.249.91", - "10.19.119.17" + "10.19.119.17", + "10.106.249.91" ], "related.user": [ "lit" @@ -4641,8 +4641,8 @@ "observer.vendor": "Fortinet", "process.pid": 5275, "related.ip": [ - "10.29.109.126", - "10.181.41.154" + "10.181.41.154", + "10.29.109.126" ], "related.user": [ "labo" @@ -4806,8 +4806,8 @@ "observer.vendor": "Fortinet", "process.pid": 226, "related.ip": [ - "10.103.189.199", - "10.29.120.226" + "10.29.120.226", + "10.103.189.199" ], "related.user": [ "emu" @@ -4916,8 +4916,8 @@ "observer.vendor": "Fortinet", "process.pid": 5647, "related.ip": [ - "10.91.2.135", - "10.126.245.73" + "10.126.245.73", + "10.91.2.135" ], "related.user": [ "olore" @@ -4971,8 +4971,8 @@ "observer.vendor": "Fortinet", "process.pid": 2313, "related.ip": [ - "10.183.243.246", - "10.137.85.123" + "10.137.85.123", + "10.183.243.246" ], "related.user": [ "cid" @@ -5246,8 +5246,8 @@ "observer.vendor": "Fortinet", "process.pid": 4855, "related.ip": [ - "10.143.53.214", - "10.87.144.208" + "10.87.144.208", + "10.143.53.214" ], "related.user": [ "psumq" @@ -5356,8 +5356,8 @@ "observer.vendor": "Fortinet", "process.pid": 4493, "related.ip": [ - "10.194.67.223", - "10.161.64.168" + "10.161.64.168", + "10.194.67.223" ], "related.user": [ "tion" @@ -5411,8 +5411,8 @@ "observer.vendor": "Fortinet", "process.pid": 6094, "related.ip": [ - "10.120.148.241", - "10.100.154.220" + "10.100.154.220", + "10.120.148.241" ], "related.user": [ "rsitam" diff --git a/x-pack/filebeat/module/fortinet/fields.go b/x-pack/filebeat/module/fortinet/fields.go index 535e8089827..852c9d9d77a 100644 --- a/x-pack/filebeat/module/fortinet/fields.go +++ b/x-pack/filebeat/module/fortinet/fields.go @@ -19,5 +19,5 @@ func init() { // AssetFortinet returns asset data. // This is the base64 encoded gzipped contents of module/fortinet. func AssetFortinet() string { - return "eJzsveuT2ziWL/h9/gpsfdhyddjpLld33Tu1M7ORk2m3cyczrbb8mNjoCAVEHknoJAEaAKVU/fUbeJAiRVBkSgdK193bHzrKKemcH14HB+f5ijzA9jeyEFIzDvpfCNFMZ/Abebf7SwoqkazQTPDfyH/8CyGk/j65E2mZwb8QsmCQpeo3++krwmkOLarmf3pbwG9kKUVZ+L8EKJv/vbO0yEKKfMfJAvow9V9qsmuxZBlcrKhaXSQy+eVN/XnF/QG2GyHTxt97MJj/XX28+uUNeU/VioiFJd3hx0FvhHy4YFyDXNAELszfG1TEGuRGMg2/ES1LGAVoQctMz+wQfyMLmikYh/ee5mCQ6hVUwEgNjGxWIMF+piVdLFhCVlSROQAnYq5AriG96IxPKvqEwTTXdsRQ9hdxx9ai5jRrDa+fex//EIsdk1wtW38/zKF/wTqr8mnFlPkeYYqUClKiBUlooUs//5JuSA5K0aX5N9UkETkoM2hhPt8jTcitWJJrSEQKMjwQR4vtgzp2OBVdWAPXMzM0ZMIecOTZ91Ou7JwngmvgWpnzwbjSlOsKhgpi1Cw/BmBK9f4HXXTMYTIsCNVks2LJilCiQCkmOFkxrQgl96C/Ms1BqWr1Lzpbox6sWokySwmHNUgyh3rfFVQqIHegqYFGnVDdsXpxK5bq9YQmD6DVTx3y10xCorPtS6I9bko+ghMWbofzBsyL4ERmsIbsiJnMBN8/n62ZvIZCQkK1R5LCgnFIieCZhaXpPAOS0yKMKlfLGdqBObDGd/6c31z/TNY0K/2JZylwzRbM7054pIkmmVi69ZKdhbCjY4a83y32e2Y5Cio1S8qMSvt7v7AXvTujQ/qonRLaGR3K/Tuld0nW512TN/97TQ6vieEaZ0FOO75i/s+ZHcj+snw36Nb0GKEXHZoEJUqZRLp7T5+2WOf/NGRKUw05cP09gqNlyvQsyejeGf5O4AHXcvs9AlsZnep7BMb4ccDiakyV5Ph+d1oK9BjpEXfaFgAp5huqR68JvTMbX6zMAgZNRw/pKAmnvSL29JAO9YFXRP8s7plWzjSLvGFVCU6fm67OMJGmjwRm8MnTl5xDrS45+1bCTo2W9fj9n7btR+2V4Im5HKgW3/vLtkfcrFlccdic3SvDhi1YQpvn+VYsyds1cE2mVjiTkqcgzRNEghdUnaEv2COkRIE2RFo/bvNQ/Q+WahE6tE9+sNSL0CH9pEXpWgLx7UvHbczOuJ4wJ0+bg5VQkfTV5r58L5Ruishsf0cq4Cnjy+pDFdo2DRvSH2d+2TEbrPOj3om9maz/QmiaSiMr+477/uR2Rq/FH3Vy17/Gnt5f//87vWa24suGfbngDGlNa1lKKFmyNfDaSPbHVQTMFB1nv4j7Akm/R+Xvj+HR6DVoiGI7k/Atwlo3nYd2ge2451s7y28dazKxB+mlt2ZrSj5tCyAJ7UqQORBgegWSfL7h+udfiZDkXSao/uUNmVNld1HlIFuwZSmt6jcw7mPU3T/wuK0bNN7jE8G+YH69FLHMbIdexxXnP7yBQcgNlWk0pa4h0RrDbs7kzeRLS9+jREJG95eUELVVGnJ/iXrYhtoK3E71gTPm30KyJeM0q37T1lYG5iGW/nUgMOJm8uXXwBR4+J2ZOH0KakTdWca4fXYbtas4Hnv7rICmIM/iu35vWZGb61O8pA5v01lqyRznK/2ujWxZMotuZ6OVonWzU7TsQTFPlyuRZZBoIf+IAtjM3jPE3Jg9xxRJ3NRBapC2FNVbsa+2kAMT/R2++PJk/r2oqrlQNtgtF5zMt51FI0TCtxKUNgQVy4ts69fJfNkIegI0WRHFUiAv/kz0SpbkzV//+hPZUEUUAK+5HJiJ70J5HTETqhBcQbypSP4wuyIRJde1TaHM507omaOsghTICzoXa2hMBuPByMpKvCktgea95yf5w2ybZ54qSFm5r6dhTNQPIc2xNiywBWH6H+WbP//8r8qJ9NeFFaAV6H90RvMP8x68pVuQ5A15yxNaqDJznhXzpHySXA9RP9H5EYitDHH55Q35dzPcl+SXX8i/k0RIoy/bUXimL8n/men/y3yRKdKelB+CS8hFCt/tW5dvYJbQLJvT5CGuBuzAcaHtsaHavSvMJAJPC8G4tk8TDeEAZ7s5ZiCliBSfttMHVQEJo5lFbJEqLaTRrPnWaR3mgzXNWOo2RggUIQtR8tTcMBlY8IwvvXI0GLzYPhEdyhi+QH8cDriNelZhmwmafi/3nIdDFPsdSA5asiTw6vBP4eaX7VvYXfeVEDbXPtU7jVYsqmW7IO/FxixN983JOBHSPMa0IA8AxcCkfRc33h9k0qRIQKnZmqWzNJbX9W0leZbAQVJtD3lqZrDxLlwzqUuamUd7y/bOAyYOljPz7La+cjsZbhT+qN9cE2mktbIGFTtpVC5B118bnAklIwU9PftMuEi4wzMho7iCuoL/5rqyvX6EXGggU7/fEwn2op1v+wSl+V/liPkDOF48p5kqMhYzsuG7fs4r1lH7vwvdzMjciPvdnjpzB/i9Xu266tXir5D/NTyMTry0Ek5RV/qQj95wNY+jydXlxOu+CeVmelheCLmv8RJ7Rf7hwiDK78P88dldVfYhbp/uIVNq+ylf7n6ye7A7Pce+zC/Im7/+SjZ23nOgnNAsC9sKrFHfqkk7+xHZgARHlmqSAVWaCL6XLtKexGdXE//Ykxg4qzHctn7uvgqZ2omzUU2QrLjIxHK774hbMNnRYgn5K0lWVNJEu0k0h3pr8VujOScl9zE9Wctm3ptRi53Q7Rz1MZ0IB3yX9kWRGyVT8MqNIOmmV6ZZybqnVtLEaqzOR8G9zUEkSSkrikpTnlKZEi5kTjP2eyi+V8g8OD+pj3I4eopEOe9cSU+apB3qGszrjC3AjjjwwFeQCJ72KNi75Z4pHdPOcmBAjCciLzLQwQ3Qa0SlVoHXku2JwUa+mdTPtJGnhndwO/dt5fbO7N1+ueB6hbRMu/xUrJiXXZRT+kwT/5anMabdkPxd8NjVFg6IRcO9UjFdeO2n/RnuiKhoJ/qSaHjU/vCRNUjVSKdID8WBBdb31M22BYo1zF2aXiJkCmm8e9AH2fhrStUcKx2jirSpv9j0r3dvKynyC0u1tEn5KgFOJRNOrc/LTLNXmoEktCiyKvtlV8smp5wuQ6m5hGTWvVO9Fx0oh1URpn9URGy484xpmhf7lkGP2HAzELunTyuSrJh53YgU1AW5K5W2z6QmUXMqqe6Jy6UajlykgwJssTC413AOTcgucsXQzZ2EBUjgidsQ1KjWKVuz1Gg2dj+EBdm0EmSf9iYvPMjHgsmzjXC3ns4X9Gh2ItPZ1g1WGaFn9DUDym7Qw7ZRxEXvNeG8NNK4lmcXHZZ1OJkosSVQ3lHkTqVYzz/2UbEa5LcSyrNtJbO73S7ayccNVcSCSHv2jQX3M/akIioFrQmNINOWuY5w+y7zGFiLWQSoxSyG9lxgiqI20TfoVCPoSo1b5HmekHvPx+Ad07kun3TnHCs2h+TaMc6C3QWxVw0B2xBEk44Sj6FYqzKL7XbqeUWJUicih9cOQ/14sVHZYtHZIZT7KWg9IHs2CKxBMh0zdeTAwCruPgmw4dk5ZPKJm7zYqR3obuk608VQs36nAhK2YLuHT1i7dc6cvpoqXleOH80UWIDaxMjSXcJEZaJKvZMliNs/m8+1CF/ar/TmS1BI8mHqQ2OZqgIC9u1qln+1Qn1ZkqoQiiEKjlF7yz6neeoqTNlQ/urs9lbhKTM9i1e66ImiiJc5SJY8VRYFx3aGLLYDA2tmstUnw4kld747Q1sDT4X0AbMHRybm/3yG6jWVa1fM/wlJ+B1tgMXPBe9Mt5Ggh4E5SR+zVt0P3QPps/69mPFWrhWtY4u50ISSla94EQ6gzcRyVgWqPItQrzbik4X6OWqmtGTf32y4la1abcVHWPEXGUu2sU/PAbkwsQB8cW2ebXvkcpnFjJsOT+DHMgMLLCxOBdfwGFtjrQHdcGev29VDpWmqzP/ZS5VmFaBQAZiByzlZUb6EGYdNbFnQ57iETcPVb5UQrSWblxoaEqIbo68cdKOtN6+/sOhQBUUTdvXMZSxa2cpDk2YfgvvxRQ5MU38LPG5tBpiZsKrgoNrFfMk1yAsyBbcopQJ5QZdgS3n7SPeFkBWGDu2KjNPbE/t74n7fqFshJJlLsTGfVX/1uqZ7dvXWk75JJ1RqbDNdTRjbouLPlOhkh57rTIksrdXGWEdKFOAdirHu4ktOaAZS19FFcsfU/825t7z4aBQBsEFIAYU5JVzwVxIKsC+ZQ9EP9tlwzisnKaU0B6Z+r9iVtHrca+Y8bJX7pzOyDdMrryw7WU+uLcO5zTbhRPBXS2H++8BNYJWUWUBxjDhu2nAGvrYADEixIEY6aAbqgkx3MmW/sUEzsyoO4iuXzlcq84hxKaMu2Cb14tdPPCVJVipdbUj/j84y2Z8wZVbS50R7+4ZRfO2n/SrQ2bUfd8LCL3pXlimeUvbj0MPLoLy2KAhVSiTM2kvNagTfk3bBbtkD/EYoKVZbxRKakZSph5ekkLYnyksCOvkxrChTSY/JvXziRe/ybCTNQYNUpKDKVvFStpCDq0WQiDw3Uky0nPbd1BrQyUF1z90Hz6XxNdYwwsXkxHci8qLsnsEIy0bJhvFUbHw8bSJ4AoV+WUdS9E5GZ5iLMsu25FtJM2f8TEVOGfdSgzcYZaLn6mpaPbHUpQNDNyrhLeMPkPpcoCoQnSprnfIPFPPJDzW0C5YeWrisUxUiqqhrdnZyZol9ABW8ukPW2XF9KLzllUy75XpqpzPInO03doptYvU8LVq3/w9r2r8ga9oLlsU/4/WQ31lu9TGWkJYJkMpzBGFzmwLJaDYL3KbRLpGpZVmpzfv3Y+MCNDdMr10Akgd1VMkBDIux524uupXvEmdPqFELA1mGZbJykb9Vjk2dZnhVUdorEWYGUrO5UDIxv6r/3c00JUaec8JszF3JkwyoNH+yhfB20HwCobd2yiqxc9j74IRf2a3z9F3fWInI54zXdbObF5ZPG5VPuL3WTJbq3Ja+pjZiAfRb/M7jIA0ciSvH3dVk7LeUuhdcdNN4PX3OynxzTe6dpHnhCzcQ123PJ/0abD+F9WpngH4OW37D/HxzbafUp7zVYqJrPWh75FwYoBvChdtERhZsmAo/UtdqG7OWfdur6xO0nbpw0I7N3eP7jLvGTP1VzZjcXA9qslj2uQFN1gB7w9OdRntBrlx+pq93mrkPDmuzFqBsf+PnH7w5bl7qOnNT6PoyKnkGys2McBfKRpA1lYzOs04WoCvKwDgpMtojCBRwFbU+SmtBm6qq43xhJJXRMKr8QmbWefr6ZrKvQxNfMtZZFPryso9sKDg6F3LnaXEgyQ3XZMqWnFph0bNFCyFjFq/9sSO/zCadVLqbsFUd7X8aII2zbHdZKgIb5/7DJ8J4kpUpGHHmG9man1+QF28faV5k8BuZOIOII2ul90XYLmI9c2f3bVrj1O5qCSNj6sGo3EfgekIqXsOMee+vho9MPRxwuWrJlkuQ8VrYhafsS9MX4DFY7XQlQa1Elprd497qPZ1GW673M1gWur53L5VffHQ6xk91MY6b63AayWjvfCLyYnbmuCu7Kj72yrZxdfY9Vc5fGTiC2/zUhW03I9Iy6XulebX0maLGmshraSmkrTxg5HqFr6dLHJXphsrnidDrVtU30pX6i8gMoqc08gsjRCm5o0lVTzms3BoRdNZ3jOCvKgVVHpZC7q2J3tRaAlXoscFKU11iKc61PYqy7NmeHYb5XDwSlr7uv7/MzVqeA6FB9LlT+NidBYMifHSreyxy973OJr/u9t075jpjXJRYPs5GHolaop8pI0kxjQ4di+xfkAnHrszY2hKXWWbkHlFlkoBSizIjbw1/kogUlNkSVbHf8MuC8RQekScgY0ofp3meKFssY/sUkxWIOUjr38ypZJmN4AlY8Jz/nS8JtZP4yvw2ODIeYR+KuSsu9EwasedOXtTxnAVIVfikWydhOlPmVYRdQHxV4emnniRDZ+bq3sexA0qc8lUHeXlblfu2+ZAyrkgKmrIsYGSYi1I3ftczNJGdPTazstjSOo7N4ui/SDXkRRYtmueSpLCg3gXkK19WPnwfrWm04jXIjG5tIpcW/nIlLwIn0nxgX93+17CossCdrV5ppktbmJEEB7Z7G3QLNp16XFG9WA37TkKxkUaQVYnIc3Oe4myjK0edsEawbyHFmqXOflZVkctB9QZCpSI53tH4dGvZO5bttMakGZcXVg0eCxv09DyyvuIeV9b/U8yPtDsdPbz/R8y9AyZ8ugoWr3DutQ0odis/ndyQm45C1YQRrWqtzy45jAAxsavOhl2iPqSfYg/zsdVh5d6JiNlcpLEzvjoZd/tKh8dCDJYe9WiFXy3BuQzOkHneMAH71GEXQFv7Q9iSpbUrp8eIl2O/Gjtp4Ag3P56SV4+7KGNeU1V378lnVz2nckTZYI1HSMqmFcGFfs0hlN5aVWE6FLhxBkNI0Cqetg0idXYlXVOW0a4jg9SmcGLzKxcgZU+nBXeGjrH14/nd/GMl9wWgnAO2MyQfbqDY8qJHIrJ8Ni/TdItun2H5DDUPqEG3VHBcofODVip8ipIJxCoHeyl2M1WeIyGBqWb0qqu5SsuU6TqzblcXzSMKNbbbZWw4UbJzLxwepIsSw57B9dle5Vdf3pIXPlfiS5kZXXnOMpvAYePA3j4WQplv/kRedQ0NfN8L88DFhrceQgqS0hazWLep93TaTOgZTHD7YaFXVZb7vU9NuoUlTbbkc+9zLWNzSZ8jKd8zbk0x4ySnjC8kzeFgOEZBpe3aG79OQku5nFi25F6kLjh6VxawEXUWAEUGtC8bKmAmItYLqV037h425H3J7VPyTqSQkReMry/+9JIwkbwkc/N/YP6PcpptFVMXfwr7F3VSzBYZ7XTOx9ah2hr+1YRYptbWZeXktmp+JRYHCzVoERWp++vc46zKICiQZiMHAa1zXLm7h+zL3VcqgXxyAcB/+tOXu6+XH9/+6U8u5nZNJWW9e3Ij5ANmyvLgAftaMWx62HqNYJRjKxE+Zwe3Skl9HdDEXBfbCE+YhZDAFUswBUjDlBQBcY5vBQn4B7CIzjaUdZsTn2wdsLXPsYma44Odoq7KeaRDoeep0hI7893ma0cziDXvUrR7tMr5iGckPTbZZdcYrKPS+GSTXd6Lz3cxJBas19BUDTWaIfbYoQarEQWGuZ/eExbKR9cTfLrhwoD3+v/HLtedyuw6/z3LFksbNnoP5CDIZ9kclR/3ED4hzhC01VrZxrv0ha4j2qsoO1sn8ydrduvs3GHPdFWymp3DH2aTvhaUZWauq2IuEy8zbq6buW22Epd5DmpYBkoY9EcVVjHXM6MiHjGeYwKvbbi1zz66Enle8n1LVAcdP65w06no7uFR/w3COnWNTR2nWZ+KbUp5+p8i7DXbYdNUs2Mkw8nouoxb4FSpCpYwgRYleq4XvEW/oZJ3nQ7fO3TF82ImYgnj6f3dhHxwdtRdUGoYyLezhhJM/35LvpUge2q3lhmfSdiv1Bk3uKFhEN2Sj1XSWTCsq9bSE8SLtElUYLcRMESLowxHQ1R1wDl2Mt0Uv0EDzajMI6yWIRvBvEALxATkmmiZonWlbdHErXbVIp1Sva8Vnkp3DjxZ5VRipZXUdLcF7bQvPtn7RJNOOBUKzdkKfS8ksMBNoKoJL5a21FIEsmL+zwhUC4reCcNVnELfXtbpPmPYF46v3JaDUT3RQfMZTWxjFPz0E0NbccTHe4PwfFms/8If9Qr9fk/4LNFylirUuusN6obycZ6nEYTXGUWXGHwGfMk4YlJkl3SM2Gg+W8zUhukEXX7w2SITG0Vz/NiVJm2u1/GoR/C6JHzGeExxwngBMp9v0QLeO7SL5CEO8TXNYuwVVswKKbSY4bukLPX1X2bW4ohPO4t2NjOxnKUxJtsQxo9/S/gsp48zrbHMBm3CZkdnEOFSyBmPBJrxeKCLTM2yeTbDdou2aP85InH0yuAN2ti1EJu0sbN6m7T/GpH2rxFp/4+ItP9nRNr/Goe2FkVG5xBDpNTU8Z9nfJaXmVW+59sI92RFvHiIoJfkZcaWeRFH+zZaJs2W2EFInjKLoZQo+Jbg20b4TLmAxAgrqGQS5zVpCMd5TaqtKosIvUgTXqdVR3mqaqHN0wMeI4gQLbR5mMWibZ81UYiXnD1yyoWCJMImXP9qZiXSpbD+VRR6BTSNYFYTeTFLsgg2bEM4gpPE0pXzrcY3ixrKKgrlopxF8GkkkmmW0CxCApGa0SXwZIsYddWkzWm2/R3SeQzc65ktAxqFsisHEwe1C6yNQn2+LNa/xrFBq9mc6X+NUmgsUTPcXnF7hKVAF9UqyjG3VCGR+Fluytn40XptNQiDXjk7P75xxBG3al8U4q6aPF4FuQbtBcsgxhtGzRYxFpEtMJOz24Rj6AZqxgobpDiLIupYsf5LqnTRKeaPRFvJJArtjC0gxjNGWUNzDilDSxht02Y8zi7JRVpmoBIRY7Y9cbaMIJtEoTZUo/b8b1APRZCjEJawZEpLim8J2dGOoPFJKGJNtYw218pWIpeR5KuLzHdbPAJ1LYHmERRJlwoUC3Y85XqzEkzNXIdZfOpbKmmUDZ72JMJiUF67/vbYdJnSlKP3OU6VnpcSq1lgRRVcr6AYVEt0rPh6dJWTjE3Wdm5Y4De7PrbSwCGaS5qm2GeApdhu1ap0UIS7iOWzRAqRR6lKZAhHeKaxfBYnONJXPIoxzcUDenmmQuGXLGWFKiRDJppRzXSJHn2WMQ54JXZ2VBVqR52ark2+xTdrZcJVPZ0tMoF+ndfEI4T8mzcvutQxRCNIHPOGjgAVPTYhE8soW5cvoxzgQkhsAZbPy2WMY5YzlcQQC7mKsmFj9IHgoG1xJXS66DLcFYDGjvhzVLHD8fhmg/0CiZJRJlwDaPSXqMDXjIRky1mgH9fJdDccJP6dVcxcU150sqidqXdkXYvXKJssQuKm74mDLQw8WWxpUMycIQkdLlXKfDhLVlh5/h3S8FgwdEdAATJfSsp1p+YuBuVNFML4V6+rRPb5814XUATCUixnVBWIDQOapCXFpiqBZjH0OwmJnQdXdTQScfxJNpRxS7g2KAuZRkCMb8hUEWzDytmGI8QDKMAOBHANjyM8ThR8w98AoQKtaFQjPKUUW0YQvKrAtrIpmcQ4BzJJ0RVpJZNQVVwEwhqvxVaTZqnQq2quE46dKBHsFnsqUVekE3v4eqnxt5Ujiu/Rq3t6YtPdFujVWst0HiUOvZRZhLuwVCBnKcPOeo/StqLyDMWYBp0oTXNsa/B6xrjSdBFBM1gzqWOo4euCRyjdpIUsOaaZNVQWLVBR9LLUgnwsOemwrqNHIjbL+0IzlpIrCSnT5IrK1FczVLb8exiO65wVcZb6OoRaMraJPrH1DRKRkVCqTh0PwXi8mXubF5nYQqex4OD8LUSJVtR75B4zc+hsRrbfmYQlPJKc7hda2Pli+bLcbwYSHWTGlG3OUHH3S28LKBFVFoWQmnQLjxKyWVFNmCaFhEXfVjghLPcpTShCE+9fHTUEwriv7N5TFzpjPHZH/gZUw62JUxEtlqBXIC9231crUXZuNEI4rEHW7Yi0IAWVCsgdaGo7gruzSuspeHErlur1xKW9/kSufYuvl0SvAl2KbDHgj+BbH1vYnNyD/so0BxVe5+6mjjJ5C9uyuz5FlrkbrAIqk9UF4yyIz/bcPUN97T3xaXth2GCI1xktue31uyxtH9eqiHu4gPtevfYDY4pfjrseU12E2/cv7nnsm4WYIeY0jau8atmST/Co7anoMxecoxt1j0DaNa67tx2qedbT8dJWz43YDtzWz1WgiYRvJSh9oGj38dHKT6+V71QG25bHcXUSe98iVcedts0phzA5RNY31vq7rdCufguOHLP3/3B/Q8Ps5roSCpZ3eG/YVwNeEO8Tt7C5XOZUAXHh2jUa0jlV9Sr5XzwPXl63gq+RC+nK1wenkRCqiAKw7c7o4X5VknJFkzO09+1UmHasuVV7d5smKaXtgHYIdAEyZ07dOBfoHUvXmIOtWQZLIBmsISNUKbbkbuF2/frDW9+WZH5G+W35H9jp82fp9GyQlZx9K2G/TSINH74G3uMqJh7XBaXSaFjqDmQiOAcbW0E2TK/6BAUhgcyQWmOXcFR60ZOfFmY6rTypr6hMLFlCM2IQ9Dx9LIrnRWdZ9bRpfL65K1ZbFYbXCGfbiL2oVuwLnmaMqtlKRH8TuEdc/VyzvVR2TY2MVGy24AnXAyDu0Bi09k7zjViSDKi8uMyUMA/x1nm7ts5y8t7/4oJc8m39rw51bd/yimtC04tE5EWpQYbFcBQzvhlYvOfZD/trYXssthaE6X+Ub/7887+at+91YzmqGfshCNvv0xmux2ys4YZuQZL/Udvk1GsPw4ILn3rs/J/4e57vMLd2/cH1ODJ4eUi2/bjfMMXwuSD3Hz69NWMHCc54Yu2lKVOJhILyZGu0Sq+eZfuxIMTO0Evy6e43csP1L29ekpv767f//Rv5fMP1r38hLzarLeHA9AokSVZC+VZpQkpItP3Wz7/+3//HTz8GZwT0KqKM258PK1Mvchpux6Mi774nHvOp24s3FajwEU+/L9BN2TSA/MiCcaMv+BDePcV09zr5wqQuaUZuL++DYH8XHOLZso7bGf+v4HARnlsD9w8jQu1AhoWnXYLv8Q4+sA5LqmFDn6FFut3dE3KZptLaad0uD8Gpr94kL471c57qC7m5upu4W6nXPZZTdUbvR8uo5DRVf3eTm4mB0mP9MnN4ZCcIlDk0vPvnsNLEZq671nkFRAMuTVNmvkyzncO20cs/fM+dcQOYJ6E94MKf8Ov2FuhA2cVaR9Hrxl5plNx7hBMhdS2SO0I3tQ42uwBMb4clrzrz3LvxML6sLpNqWHd9E88h9G48lxXXo7MvX6qUSJhROZ3dqKPjECOXJeVLuKifTongC7YsJaRkvrU0gac2aigsZ4ojSw90kkZ7tOUg00WEegcZou7fTOFCNwBIyIWGmY/sxo8zwp/alKsZnblQ/AikCy3jEF9E2BKLCNnCWYzjEKv+SRFhUmk6qyxx8dTy/Re8GcfFPremMeEZNNi3egWSgyaftgW8JJ+ra+zWGsB+IZPKANa5CT70aWpVq54zKBM9T+MKtLeLvyQ0y4LKRLH7og1wo9IG5q1BmjuQcS2I0vYyZ5x8vukVKIkNkI0mr9BFtiEqight3wxhCQo7oteQjZDi4m5E7FB0a2+PgNa1VphlwJfonSItZqN8RNRCezRQp/LQrOGA4SSx4QQLQsk7ITdUpt0+3YRcLm2wlyTUnPhHG0s3B70B4GHVE7lq4lN93ELTrOmqc2CILRlvIyM6I2Tcx7nasIScaSOWfIuN8BDXGeXn8OOPMFBWASINE2VngG2T5c6TsjYv2KV9wLZvHmxPJSS2CsEarx7cOI89lZolZUYlsfWiSQXixdvH327FUiwW4e7vkMz0CqIvbwvsJ8PQncYG7rcGt4F7WeoVcO2DxXthqxKzcsK4gB7Hsh/6ZwWyF7AodSLOO9OeZT/gaZkkoFQPZlt5/LjiaMcFnlhcxKi4SyG3JJCY0MF2DuHUwgh7GI1Usg4+VQhu7hUjt0LKYf1D0lGU2qNa49Wj67k3KXFVS23OQMYgrcfj7TB7+jDjRDFdBuQnsckF4EW0p7qiitBUFOZ20StgkogN3y2ZmzhNHwUXeU9cre3JoZgrUX9eJcIo94ynRv4IqeoJoOQdy4BcemAXnWkYY+zl9cDcmewNGK/H/yzhCr1TMPVRC7izEBpjYCIw891PmAgXrzf1+RrYM9EfEDoXMbMHAoOfw4qumSitdpmIvJAiZz0RinBucG85nWc2iWxBrg5jY3xdi52IIPcRtrROEgTQQojaXOYIgAH+Nb7Yq9u4ZXfnrXfb7dIsS67309mwNfrUpoHPkmOe9aO0IHsfL4GDZEk1JDshNtBvP7SA6ZW9akO93YgHe5H8fKG07Hd+VmM6puzWs43pzeExefXC8Yo4ruDTtH6Ea5aDMnLdaXsSCuh1IvlVQCsKMbgQtvDgicsgR26tY2p3P9vW+mXcmH6eKbQmp6OH5g3GQyPsjM2OeCcQRgiDP+7o3gyOTp517dxBQxmbHF45tFqq5xEgA3K8FiB/3O34y/CSYbU2OM+SjZOP8qwSBPOMjZAfZ92OmGPrbMZaqbcpaHt2avTMnVKvZjnolXgGLwltWZKJg+G/1rvgtpaSFFGtTge8Oh9F5u21BsiBfRnJEvLfF3/985/Ji9vry8lP5JopzfiyZGoFqU2FD2LJxFJErwt0yBNmo2UXDodfZvvFnogxKSJbFQ/lf5pVDSGoT4y1yKM1fX7KcUls2H+d99sw/FlMIZ8p5aEy6btIMZphVafbG8hHmrJSOQ5ESKJYzjIqnXgyYtOcocTe6+H0KnvOFUvPWWmkGSn/2WyEyoq4Vxdzd8jj5Vlc8kNn3bo1fKZhw/7rjUT2k85e8IYbaKRlpGFTppAxAwM6Lhs71UIuKWe/H4iq5vG2wtjJPmKmm3uqZ7oXTAZzSSNV/Xln2NnbwpX4crWLWlHN74FmepVQCaSQkIqccRpMuGuIpwnVDLhWg+HxGT3naG/psw7WlX6EItLGNUfnRyO4Ciq1LYa0G+phsXrGYkde2IyRqAtIQVIN6QwtqOzA/jDC513FsXaeTaRYs7QuHua/R4si85pqZ2P44j/mWmvrtGEFZzdIlp5plDVLX+tPb3uGGWweaiMn18x5z1f7intPCbha6cRsCv5UzRMerc7U+FEjE3oZGKjTUa3GShVRWkgn8Q21HDS13H6037ow3/oxPPqcpWkG55Nyd5bfWDkXWN6G3DtKzlXtMc4z3Inn1qgwxLeVd/YlKTJqlszcz0IS4IncFn1WfhsKeYb35IgIOlm/Ld8LpckdTVaM9zzpUhpJcvywP9efuY30LyQY8WH0I1fkTF2Q25QW5Iv9h9OPUsFd3uk/upcnWdE1GM0pAyrJtxLkltgahKoQXEGlUYWTU814Z/Y355GXvgZeYihLVlWB5G74ri5fP85qSGeAuttAH31x1LFIbZenuAaz/T1elZZuFTEyb0N/8TJFZMl58B2rXtY3j/M8uzJSPTl2nuLMvzDjLwQlG8ZTsVFEFZCwBUvMJy9DeYI+TrZ7QMzwHN5dzA15YSvCAk9215B1Xf7UmC1ScnuP38KSJlvyWbUL39Ye2Hw/kRY9utZwOMODvee2bz61LBSbq2Y3mbkROzNe1wEIZP+3Mk1tOk93+trDjq9Q91Xndep1YMR2hMGN5n9zxGDPE9fbN1Qf4etN75Wse2uH3l8FtDua8xjsaodBe212AZluGTorFC5IMZz8bNMGMFsC9ma42SGnsGDc2+qtcLJV/XJa9BQdtOiOShSLhG1ngNlT/7AFY22zjT12X0uppzZlbcPWmiar/Mwl8Hdc7YSTzuuouRxRmrzMGcfrIIZ6NsyQbVJh3MszIKSaaTt2WVwZ7V16f6BrZwd13LtvAHVBZbWnzJ9f7oayWbFOKXViTod5y7rg91HD0+g9S1xZCyG38Rb831RB+X8MVoypgLSrqFfqeehqMtPyb68t9YGxPZtK1BlVVW/98Kh6d8EMuJaiOEZ0pKKcd4wLo/a452le2zCQjmAxuuyO857DK5EXlG/r82iPnW2n794ra5DmGpoxvhBhpYCqh9g5QgPyY+8VWSHbQNyq6ItvsWIE3pVZtiV/L2nGFgxScm3znp1xMAhlA/NZIsQDeyan+1eYE8d/936mWZ82j15tducOL0ptVe4jW5gOn/WPNQvfZcebo51N/oJ82hZu6DvLgZkct4L9iydhMUMtJrsH22Bwhgj5owqVrd0Hcw5TXa1cttE5y2IhZGXtty7mj7c9S96olYO8naq5KOL2ITowFYbzoOW+gimFiKSJtEEZPmY9SEF12DSZ8BlVmN7+BmHp0+mRKZcyQ1zmBlXEVakfo7NSYllDGjQVyBld4r0pd6TRr6c2adTwxzZpv+sjCBZ41MCtaoX/ODH00XZzreitJOyFymBrVI7FOXIJWzL3k2Vr1avX/r+vPITX/j98XFPI7E8zkOHoPD+cZ/Seu8E0nefW4tpotdYZTuobopknFeMLkLLH79od91nG1VT8B6c+aJ49A8iqLvGisQyBI2Xd2iLqkQqwONv2e+v89mbbfbIRxLL5p/+CboBWf8NPVqxAnsceYXR2H/H04sq2fvyJXFn+YWgg9ZmKpfTM8xVI3/wTWlGYB4rzQlTXcWMiGwtumP6oGpWiD640+/1Yq+TTS6OEV5tM2e9haw17iCRTbv7rLeGwFJq5BSxWVPV0gFLJucsKNZbSMe9vLmiWOloHqE6Ay94eqwqnV/k34YAUxZbnyKho1zequx5+6m20bKQJU6pEVzotZRssFc9ad5oPxSIEKaPaQDuL0pSebw1zMrXO6UPS6SwREnVlcO9FfjG1oZ2HL6OG9DwO5NOl5wGM/SJUqWy2jnmj77tUvSE7CCadma1HS/QyjSoWYfYA/kUdqbjBD7t2Jc0LycrWvxBl/XVCkpvp5X/dTcjE3FPkA+/pvrJDGymT+hi0nzYijNaKoWQFyYM6yog8TgjHrUEWajpX1+usS4TZMFDfgnAnBQ9ouSBZpyjkMyi5DkddFaT30WAxa6rLs3X4bKJc04ylbiMGQOwLwrNVtT4kCO2MPcBW7YttpJ1fBZAi015pXagZsz1oo5C2SxljQhL6HZwmtuRV5ouQTG8HTlQi8jxqnbiRuB0ObxAKp+BvmIRs/6WJbWLZZJTPlHquhreGs5PhX/1oqxytIFqXajwrBDtHWHUIsENALAILKvwasNOarCjnncIZsctNea4WSI/P9kxlm+uLxfc8/Hp7ee/vvdd77OsLRQu5b/tHr9nG1MNsLbIy1gRcVn2cue9zU3fGrtr5lpxpRV44EOonW63DJvZWHXX3yBMLOjiarIwkzW491s+caR8ucNFOOliDtJECizIjieAJFNo8lKduDXvKK2w2MaWvm3jzYK9aaBughZCaCDO/7//zMhSCG5x27H0n5PL8AZb7CQYtE+ucumInwUIxf3v7YXIzIXf0MWc8rdt6h5fVjO3sYZitJoo9w/LD6Izu0LBq9Smcsogenu2yHGeL8yVsPncSfjXk6GpHy1jmpfLNta/S61EcRJidb1GeuVZANeL8f/m84Toxh6ddTRL7dFt7iXlCP1N0o29XbV/xtVM3d8m9L4kqAyHqVJF/U1oKvvyPeUaTh4wpDem/vfZ/e1l/yvgCkvBHCyZhQ7OgIkPnWeM3hPKUKEF6tqWEJVNabs3L/pzCoqB65Yv11xjIPoYOSGuUOhdMlwjt8rUSIRtVyGt9skYOXDdiUhq1X/ZXKbzHzduMKviNzEE3X/0pLGiZ6Zk9Ab+RBc1aicetAbTj9e9EWmZgj3hBpTJv+HdCasZBE7VVmVg2r+SDVeSSxJ2wY2f2Pzqb9NJlwtrGmvbcvPh4eX3zebprhdGD5EGzjvA8BUdGZU4ukwcuNhmkSyCfmvR7QKBOREt29jHsxuKcwHNq7Y117sSeOaAXQqCrzgkg3l/WREkOqpXUHIbQbXLo2B9uJdrlHAgx6GUYcgKfsto+RbTl4O1lvpT7I0Ng/beW4Onh3b2BT+N97di2axj28M47kdonjTpnrtjbANtOOKTfW8E6MgNMjQixTVsgETxV5JWtS25rqEBKFOMJ2CpZ7S5hfbg6hrgTpsPWaLI0ySsCywv33//+w534nWUZff3Xiz//MADICMzOq+KEyXISuFEvqodtN5zwJLHfJBfmyGm21SxRIUffCaw/WQuicx+2EjNVOfct4ezjqWI/EqX7NS7MRUaXbTAOpCvxNQAMU3w4k/Ck9ZTo4Vq8ejaJXRSomsEnezcnpfW5OBXAV0QoClszQIpsEBHqSd2VSBs+r+a7HVPcKevQYH7lBt+p49qHRO6bdtGQfGTqgdzCGgZXQiWd9usn7o1mqPPl5KXLhiaGD4fUvvlS0Pb16KtPLUvzxUGgmLfvEw5u0BOPxHvfw94DAVlyNAHoYfHhvRgoKu5l5RIZrevaH3TYnIt7X8EKrAvMF2ixbKDFpx8Ppsiw9MZov/aL4V5UJ86Flmy5BEkKqjVIrqyEcHaY5AF0SjV1Ne3nVMGvfyHAE9Hq0zsMuOeyOWXK6to4KXntWu6OwYN66zkggxdembK+CRhyNgeYGmrjeKpEdCy3J24Vx33aItwPoNcg8/Rh233KGhk8hv4QBL3CfSe7OBfv6RrzWi71CnXnt9smDG8CvQo16D9xD9S99F0Vcs40o5Uq0a4POwwvWHQWb4b2yAdhzClPNyztRNqegOI/OyT7OHNIZ7LsVA44gff95RX5VlJJuWYcDBRz3X4sva9nFKKuNxkdkM+cuRlQOueUBzietjSGfeuHYc5Cc9DB8gCnsLdUm3U5xqBAUr4887Gq1zwQmnaKadnXtZzC8PWV0CzrOqhPYH5FswzkCL5SMpAzQLw1jMi03pUPU3Ll6BPg6SsXxlbFyowRmN3I7xOUl+v76S6ee3hegonVeIK6wyAMA1EsXV354pGjzkKSSqtvYj5Drro0w7yBa0kzTvuUyKPW/8pRJfeXn4aXH9XCehXIGOhli2yza4YBDz+8DYAVVYiaQZN/i3KY/2JJdae52SnsBV+wZSndoTO02bwcXIbFUsz/GQvEXpOiPgSdkjGIEFq0+wCgPmHb/G15VG/GHTyKi6V+LMSmR2k+ThS00Hz6b9KmH8YRjK8+AUQdg361R/kQe1zhMJ2+ryO4RwiHFVWK9alIxy2EIzm8CcI5Zsiup8pePGxIT1bLFdB0v+H3aUEAnz5NyPs9qmHuWSrm/0Q+ntxWkfTSaXhBbP7/rDcO4SgUX9mCecpVAekhFKJMsSNCrgzRUbEoln2pMJ/zjvmwjz4RWZmHB33UQfzy4WZCrtpEexjnOeWYW+/2hlztEe3lXHLUuJvp/d3EMm/T7WFv7gwbqYX5LGhfRfvk+5CYw8rCjS5PwGIfba6yRyURqoo0g4is4QkRSuWtqEiTXKQjUGhJu9lap4iky3c2sXFnA5SgtGR2Zoakk3vrpExRmfc4s44C5Z5x1W017knlvoT8tnBEXcki6463d5i7GYfw2BKoeFi+TO7JVbtwXg/jbpOUkzTJkmvlOnw61XbEYSm5pkWPhesYELvyqpdFQa60zEgmlopQpUTiTNV1d+1REY4O4joKwi8Y2BK2CO+dE9Fd3bybYuBLsyjLe307QUHHo0ze9T3K3IU6mKDgc45vBISL/dKGKPAWCwxsrIiytjcTlLVVPaalE9GZdywKuij7bjq9xUC3oVG2ndFwMNDtlZDHQgdz8xzXIE8FWZSIt/7k817rsTBPeeBtehxjp5w3SquPeqdKpllCM2TdZ7dKFQNinjF8OaQXd0oyn/Rg3p+RESGIicxaX3ouFP3xKkctyFTk0PzOAPs1oJqQvrwdtBqlFLr1UE7geW3pET7oVU6pppLynsSGI3lrSixN+06VUAipB3Z+2k3MPA3B0LBTrg4EnDzVnX5tNLwxESZpt47zKeMcu6NdjC8TPFjm/CQEnjDZo9wDY43vPr4GG0swzm2cwppxHUrxPy1JLXUgbrgGuaDJmACbFNa4Rgc/EcPv7HSVFLNc7YfdncL6/dWE3I3Jz0vN9KOegLqmBqsmfwgBapy/UkJ5vatFuZd3JpayT9o9PRjymqkHowAuGV8SOSz3sgIetdyvGHbKCtxOiCUZzPIPgxBJsKj6iSgWjC9BFpJxbViUtsngHqMePDllPNEys3GIgSIBpyimN++mnoMNcyRt+iMA9UoJHDwj5EUNBzsGrgNmj8EAHKRgOIvCx+ENRSHumOPeIU0MI7S2GkVlfY+wSTyanVOlNvWPBddTqhFpmjrUD6BxL2WWPuLNkUfh3+CDCn4DBm7OWxvHiAlB9C1c20YfZmtYm0PKlAsjsgHXtnnrQAJoqvQM1S11jEJgfqEXUmDGXgdxkBaPPjDontTrVhvpEX7UVOlIqvoOSPoktd0CwlaXO2BGXIVKL2jOOrWekHB8mJI98n0oVptgp08kHO+/kj3yh3B0awHjApHDRkx7hkGrNe7rOnCElYtdH4QjFO7Nt7dNxsh5LVTUxfkwHb04h2wtR12+DRij7C5K46YwNAFMp4O3v9Iq7kFRYqE3VHZLc/fhKblRuI0Ohf4Wa8ByXHx0P6TjnmNKlyXmWn3+vCvt3wR3MxkXTJeiorG2ks9DOwZoIbIE0ynx9nLy4dbn8To1YEA3sxBw79wWhuHbFlxTHrw5+LoCWwJ5l9FMmKrYQEqEJFwMzkvdKghxYnbth8YYUqEQnYKBp2wNQ25X69G27mZ8OSLcF1QR6ExyykRMJ3sJQYMAbMz8QkjEGGiD4lOHbBjAY89KHMX4jrKMvH1MVpQvQbnQsev7KZGgCsEVEMrVBiRRMMK7CZ7OdwuvsIVHVNXRCnH9PGkbYdCl3weHYT52bMzo30oqU1t6UrIUPA+bva40zYsBSbOguZoVtFSIpp26uuMlp9lWMVfi4Y5yurQ1L+rkzEmLbw++33Gt2RacBfY7SHLrzdofBw2mi0RDrjCL0jQjft/6ArVkOr0fxIGqKzRRDKoMtjgnHu/7TxNfEWePcg/zDJwJCg/BJ1f0TIOsS+r6HNmtqzCwcHVvR9xT5hsrqlao6ezvPNFRWq0bSF/e7glODzs/48woMaygOwzD+9N8DflVfDshssxgxHvYsUe2Ie1GP6zNLsxhXpoLwVyXeCAuuWaqoLnVWtqVj/twbKhMIV1gmo9c6L1/T+14DED5lmLK7L9fD8lnSXPA3QJ1smKXdg8EgJSph1CLldMudglgHcydn/fgEIgK8zujCUJzCwxzn62TrFR9N8aRcV62lMiaSV3SjHj6vtnNACJF1yBThlmc8d30kuwTDTPfOCNWqB3QKXsT5qSQ4nHrbWQjpOSSatjQsBr8VL/q3xwtwoqmXCCTyUS8rVQLFx02gEk2K+CePCt3kAu5HVXtz1Y4xkzrtaV1XZXjoetyRV8VkoULNh3F+/0lmUhmu7MNcZ4hl3Z+fzmmRtaKznCdcO8vycdBj9uK8lStaKcd9ynZk9Nb8r5Dtoc7Zk2J90YbrTtypmLDM0HTURryap7ymQSqMM1a74FKPQeqLRayRz6Mgy1XyOHY7yuSZEHnkiVElXlOh5TllcD00r/3jVMP82QU29K8/pWwASWMJXmRNHNIT2fcMLJPbNMvZ3y/ubqbjCvjbzChVpxyikFxNBhcpdGWMNwW9pQ+AUfVTA1RY7oHvRHygWhJFwuWhHiEsfCZKhjejNxMpm+vCONzUfKUTCc3Q+wTi9R18eWIt+SNp9xuEDyExhkiMFF408bd3XQcbyPh+3M3jn7bV+Rd9flsOHejEQWK7Vi82ZEeZXJhHLPWfbVDmS0UPXhWXS1MzBf2B8mWjFObqOnD3ywz10quNi7U1uYhgPvBUScD/AiZdfKOjLvCjQR/MnPbjzmniPZAI9XvLq/qx46NifOMyIfPQyINJ5i1moehQFaGfKXt+I4whYU5nMD9v9yPdj5MBVQmA6W8HhhmuRZbKKZFMsg0o7wngvrp7pLby3tzE4qc8eXuBudkvtUw8LLNKBdlWDoeh0OU2t3dT8QBFNO7ZYMr2jTDbFkCXMEsY6j9UO7oI8vLvJEA2vDgOOuHUT1vHfchiH3Qjqtj5G1iPlz4I/iWrbctNj1IOKKgsOekRbKHaU/VHIxmSwOsRbf183HC+NZQMiLRdTqdTCbXjfpBQygQE7RuxXLcG8PqFnh8ff2BoZSOTGyQ3/zv3Eu/QzjIHlULsCIop8k4Q3hOM6PUzlKqw0lZxxct86TBdVceCQM1PzUAY3wWdk55iagf3hlyNNGlHGUHz6nSIFOlUffGnaXa3B1eMqyE0k5fzMtMsyIDwv3LvFZoB3eSoa1kgq7TOsot1baB2pb+X1F1AnJIWZnHEQCONhkjBADRH+Z9DKURuFUmjNJUMzXcrS0HtcpR7XG1j9KQHlEvzt8UyEX0nDRwpEe8EbBT1W0FtjHBlfky16iRt7YPV60RupBoIdnvkFY1PReZsG10jNCzcVjauZOHdgrqLnEGjhG7w7YMxuM7ubp5dT2d7tPt4c2ZFvIVrp/UNTcnd474iNz9CgbuAdmDMVxdMi8wU9lrKXE3mf7XAGO1RO4m44sHkElVTfJ+hN0114ili+7oo4v5rVpXfuZMky/D8TS4e3F483HMGDJb839kFxAO2JXPfWnle9BD3nAOmxl287972FRhCMLbU/cCpnuhhBrMn4hk74E+Yh/ABr30ugHiq66POoEOA3bxc49iVAF0DhuVCcziXbAh00zokeN/1L0970+xVGiQa5o1+0NXxiPDsqFLXgwAXCBrcfdi16NmxBXFBcO079lC6PctmkG2IkvRxUXtf5mOiBwyAJCFRM1/T1IMP2ZFlqJLihrNPuUDCLDlRI2hEhZjjqzIUlyBsdsXY6WGgYBoZPuQpWQ63lstsnRTSIFoWzEAvsKcvHOh0JMxHZcF3zDMlJ9L18dVC8J46rrqsKrtMWHK8/MZfgPQCpDoRRg+FOBqQLrK2EPRRwYDeneXHYZxnV2wc9h3/KfOJDJCdOGnsHdQjEqZFqXGjXj5UOrhOBdRalw3ueE60kVeUKUgjWOWc7THmOXMNzeYrw6r4adO3bfEhUzH1y7DbT41oXpFxIJkQhSuYUGj5YVzY/vW/i5ycQAbYGZffb28J6LQLK+63LbI9wKYcaMg4sH4Mrm3dAkXY5sjFiuq4A1yLL3FYQmPkFrFSqC7TCctmmG2mMrVRArbmn7oAVaIjCVb3EfGxNIc8bwohEAuxGZmWohszCKLnlaIR033rViSssgETQlIKSQZzosw35hDn7/2uLhDP3obKOtt1lqQNpdeMNATT4MJBYYCbAop5oBsnbxl/KG2y04Mg9pQOQgmadrVTkby+eNtpWbv0z4EoLf9+kmiwXZhH13judh7Fpw8F/6dMcJU5lnP1pjxXk+113kQyKk11SS4pKLRKJDltQcxLLC/GS7rvvCaY7sXfytB6arJ0Jgc2G8lleqhJ+TyqCn4+66vuSFM4LHIKB+hrXwrhabwmACkmK2wbhaOsnXNzwE46fDoh5PTcIr400MDq4g4h4VmmdhASl41DZvmmc5yeDWnqvrIBg7aD1wwoftsBHDcbf13C3rYVW1Zl6pn+Z4+aY5vqY6YKfvRT4fhSpoyMUftVfjRkCTzwVaFljWmluoYD+monm2SCQU9WV0ncSdG9DhTk+dh/ynFsjR/HAXO1ejHTCIJoNusWLIiFasngcRs0FC7mh1zQ3yM1JZ00xsnd+S23biotPHMMT2gNfvB/Zus0xQy1KFDAmwNqZcgbephEMjJoZcZSD0qJ1R6rHhHY+ry4R9gW1fJ6nI5iCVC1apDoMZWsZKYOoSPYmsYx8yVI4enaAFS0qzEbGfU6HcVot8DJBd9tfyfnFZjSJHJZDK6bKTjvtFF7+PryINrkVhPqJHwpSK0VTCPtPj1QDPvNewEIPtSH9aWJHzD5mz1/3GszTexTYMfbiYV6RF2IwmqzBBDeGrL5D7lMHfUCguG98TyfjOiuLlUKuxAOU69aYnGjCgtgS9typ11AA5Vr5ZKidkDIPr4Pl5e33yekun0A6HaVcIfp9eUGSArNmUGI8L+DWPks2gYDx9E36IZbzM0mkr67s93d9MBAW1A9Mrmp7/aKsbD4lclAr07uas0+aGqNDltsQij8L6laGp9h0EPDK6YZmvc/vU7otZAWfcDajQJGoaFmb19f3llUY2KL1bANbK+PzWjH63rK/iGyfpbCTyBUdEpruwC4p6s3ZiqLhffZHAARE9ZiWN1+7HxOQdq5R/3zrquyn+9+/v1PRFyMDfc942doVZgcTQHn7qeN6aN6Ovl9RPY67JArGhb8Z0auiMq2SpYA65Qnu5TDPNd0QJkKkUhk3Vq5EQERc2LHymKwv7Lcx2LzEhFXGRNoXgMqgIkK8wvcWFd11gMsgLMiT0CGO4r55PP63cMLDfywmEbsDe7X5h9FR+R80b6/eZt4mPQmb11HnSGU10kYRga40sXYYEpEfewOQbDstG+sxDlcltdvJzc7LPogfE7lnR2RWsNwZHlKnAjh23A8CiVADMlvx1S9pQ6V4of8qAch+a+qsfW9J2IJ3gmFD/oOTkd1dE+E8VzUKuCSsDscLfDZrN598iHgeBXahuMXFUywe3s50v4jQxeVTLBb+q3D2GEyUvJBD2U3MMY1cpPyQS7YZ1nP6ZRnZIJfqM6z39FZeo7Xg13qvNAkCPJu0hGBJLbnYncqq6zMUd1qVMywVV5PIxhE7iSCXZHOM97TDM4wx21GZznPdwHznCOtg2f1gJOyQS3y5pH8XmwT4lS2NtuejVmz6Eu+X9SBXWrnCnoYeVZZbRd9Qlh3LfkckQlKaWy/pJWRxrVri33Ntk+5gfcsCdx36MbZq8pcgbLztNgk3AFV69dFY+hp4Pua/dwgho2ohKp0hS1ItD//PObi58fq8G3amf18cdc/Ms0Z9yXQB3RSh87CXhM7q/STGM2hbsstajK3lrSREu2XMJgIIYq5/8EzIYW/r28R7aPN3ahmKtWetS0nL+6sxzGOFTK+b5KdDKcyy8hsn3scd2st2LZIdrDWRUsYaLnDJzqa62pj3G3bszeRc7MqOvF+Hip0Yl8assT9BIBn1ZgCVdlRWxFN12XUBuBCHeb1HhsXPwT0agSOXLJp9vukQ1yR76z9F5lZrGoSv1oDfIlYQvCBYeX5ou88lcMTJBeSaDIMVRfb66nnvCIIArc1bGFR7xlCdaDNiXMQ+yuFS3GNBrUIkLfqLTRsOKY5lFaaEzD+CdDjuQ2+nIEY+8yxebfEPOOgRpwV2hJE4jiNE4yqlaO/uBDS0vKU4bZYO/+8pOlqjJaJxkNY0CtdGKLF1qq7hE5ahY8XtSWMvfTuuGhRZONRGP11TOoxEM4SkgyrpFq7b9jGeymo4SqnONQfIUuOYcMc3+416CjO7wajj3OHLQ5jxo47p3ZAjDiaKIy9w+QYbYlogfGPYH3gr4/34xBYWuPlgokdm+Wz7yBpyqvMaZJS9nXpOW4zGRh24+XRZFt26TDzGUWoSfu54+3Y3vi1gAyhulVbSBoEe7DgL4bdvxH7QGJLBMa/Eccir7EzRMfx5+VbYcy8Co23GcLIftffkfB2HUZqAsHjpgJnaPbqKtoA6+3FCB9Nfj5lnz+dHcY0JoiqnFVwv6Q235NC9zCyjvGI6or4z9u9h80Q/0AKwSzHFovn5OBfNkDskf/MBhkM/I+lhGm5GctHoEdO/d0ANbLjprS96XMOEg6Z5kRECqh3HMZ4c1Dd6J+GeM0XWNWjKiWYEhpXjOJaaP8YsiNmWHzPcw3imN8c01elJx9K8FxaHScHAgjXQtWzJDNxzZ1rxhVymddYO62yX3zK4Oc3fMGj//NREFCvhScfHIPpxECoOD4xmntm6Aa/cTMyd44w0BkuLzccZvy47tRFr51mfEEs/B6W/hdUQ3LQWufAYF6IlsYht4qhjvyJdTiP0IkbVCNJl++3g4PepN9K2mGmpFh+O4T7WOO7rU0zEf5LNebYp1R3P32dUK+3F7eD876BrFJ4tfjmyRuKBeFpgVyq0yD6EOzsuZlUWR18v7gK22D2brxq2vduBRHzA7Qhw0UbI04M0AfyFcoyI1rn2sm5IvtEXEYyiMt9Qq5sNp/X5Z6Nbqs2mNlWMMG8FnBmIzRR9SEuSox47+DJ3X3H/9fAAAA///IryL4" + return "eJzsvetzGzmWL/h9/gpsfdhyddhyV1V33Tu1M7Ohkey2tiWZbfrRsdERDDDzkEQpE0gDSFKsv34Dj0zmWxCFQ7nu3v7QURZJnB9eB+d9XpE72P9KVkJqxkH/GyGa6Qx+JW8Pf0lBJZIVmgn+K/mvfyOE1N8nNyItM/g3QlYMslT9aj81/3tFOM3hV8JB74S8O2Ncg1zRBM7M3+uvESK2IHeSafiVaFk2P9H7An41+HZCpo2/p7CiZaYXluSvZEUzBa2Pe3Cr/93SHIhYEb2BChipgZHdBiTYz7SkqxVLyIYqsgTgRCwVyC2kZ735SUUfMZm1FGURPpXuoh7IWtScZq3pjVMfoz9E4kAkV+vW36cpjG9Yb1c+bpgy3yNMkVJBSrQgCS106ddf0h3JQSm6Nv+mmiQiB2UmLcznnaEJuRZrcgmJSEEOT8SNxbqgjp1ONS5sgeuFmVrkgT1g5NX3S67smieCa+BamfvBuNKU6wqGGsSoWX4MwJTq7gd9dMxhMiQI1WS3YcmGUKJAKSY42TCtCCW3oL8wzUGpavfPekejnqzaiDJLCYctSLKE+twVVCogN6CpgUbJSoq8QerFtVir1zOa3IFWP/SGv2QSEp3tXxLtcVPyARyzcCecN2CeDS5kBlvIjljJTPDu/Wyt5CUUEhKqPZIUVoxDSgTPLCxNlxmQnBbDqHK1XkS7MBN7fOPv+dXlj2RLs9LfeJYC12zF/OmEe5pokom12y/Z2wg7O2aG96fFfs9sR0GlZkmZUWl/7zf2bPRk9IY+6qQMnYzeyOMnZXRLtqfdk5/+955M74mhirMhT7u+Yvnbwk6kuy3fDLotPYbpoUOToEQpE6S39+nLhnX/n4ZMaaohB66/RXC0TJleJBnt3OFvBB5wLfffIrCNkam+RWCMHwcMV2KqOMe3e9JSoMdwD9xlWwGkMXWoEblmSM9sfLEyCxg0PTmkJyQ8TYvoyCG90R/QIsZXsWNaOdEq8oZVZXD53HL1phlp+cjACj56+ZJTiNUlZ19LOIjRsp6//9O+rdReCJ6Yx4Fq8a1rtiPsZstw2WFzdS8MGbZiCW3e52uxJm+2wDWZW+ZMSp6CNCqIBM+oelNfsXtIiQJtBmn9uE1DjSss1Sb0xn6ywlJvQm/oR21K3xIY37503MHszesRa/K4NdgIhSSvNs/lO6F0k0Vm3ROpgKeMr6sP1dCxadiQ/jjry445YL0fjS7s1Wz7F0LTVBpeOXbdu4vbm70Wf9TF3f6Cvby//P93ec1q4fOGLl9whrSmtSwllKzZFnhtJPvjCgJmiY6zX+BqIOm3KPz9MTwaowYNUewXEr4i7HXTeWg32M57uber/MaRJjN7kV56a7am5OO+AJLQPgdZAgGmNyDJpyuuf/yFCEneZoLqn38iS6rsKaocZCu2LqUV/R6Y9zHi7h943tYNiqd8RrAvmF+vBZaZbUo7rij/4Q0MQu6oTNGEugZHa0y7uZJXs88teY8SCRntbikhaq805P4R9bDNaBtwJ1W5xTP/FpKtGadZ9Zu2tPLAOmDJXxOBEVezz78MLIGH31uJpy9Bjai/yjFen8NB7QuOx74+G6ApyJP4rt9ZUuTq8ileUoe36Sy1wxznK/2mjWxZskC3s9FK0Lo6CFr2ohjV5UJkGSRayD8iAzar9wwxN+bMMUUSt3SQGqQtQfVadMUWMrHQ36DGlyfLb0VUzYWywW654GS5720aIRK+lqC0GVCxvMj2fp/Mlw2jJ0CTDVEsBfLiz0RvZEl++utffyA7qogC4DWViZX4JoTXgJVQheAK8JYi+cOcikSUXNc2hTJfOqZnrrIaHIG8oEuxhcZiMD4YWVmxN6Ul0Hz0/iR/mGPzzEsFKSu7clqMhfpuSHKsDQtsRZj+V/nTn3/8d+VY+uvCMtAK9L96s/mX0Qev6R4k+Ym84QktVJk5z4pRKR/F14dGf6LzYyC2cojKzz+R/zTTfUl+/pn8J0mENPKynYUn+pL8n5n+v8wXmSLtRflucAu5SOGb1XX5DhYJzbIlTe5wJWAHjgttrw3VTq8wiwg8LQTj2qomGoYDnO3hWICUAik+7SAPqgISRjOL2CJVWkgjWfO9kzrMB1uasdQdjCFQhKxEyVPzwmRgwTO+9sLRg8GL7RvRGzmGL9Bfhwm30cgu7DNB02/lnfNwiGK/A8lBS5YMaB1eFW5+2erC7rmvmLB59qk+SLRiVW3bGXkndmZr+jon40RIo4xpQe4AigcW7Zt48f4giyZFAkottixdpFhe1zcV51kDB0m1veSpWcGGXrhlUpc0M0p7y/bOB0wcLGdG7ba+crsYbhb+ql9dEmm4tbIGFbtoVK5B1197cCWURAp6evaVcJFw0yshUVxBfcZ/dVnZXj9ALjSQuT/viQT70C73Y4zS/K9yxPwBHC+e0kIVGcOMbPim1XnFemL/NyGbGZ6LeN7trTNvgD/r1amrtBb/hPyv4WF07GXFsmfw0RuqRjmaXZzPvOybUG6Wh+WFkF2Jl9gn8g8XBlF+G+aPT+6psoq4Vd2HTKltVb48/OSgsDs5x2rmZ+Snv/5Cdnbdc6Cc0CwbthVYo74Vkw72I7IDCW5YqkkGVGkieCddpL2Izy4m/rEXceCuYrht/dp9ETK1C2ejmiDZcJGJ9b7riFsx2ZNiCfkrSTZU0kS7RTSXem/xW6M5JyX3MT1Zy2Y+mlEbO6HbOeoxnQgTvkurUeRGyBS8ciNIuhvlaZazdsRKmliJ1fkouLc5iCQpZTWi0pSnVKaEC5nTjP0+FN8rZD64PqmPcjh6iUS57D1Jj1qkA+oazOuMrcDOeEDBV5AIno4I2IftXiiNaWeZmBDjiciLDPTgARg1olIrwGvJOmywkW8m9TMd5LmhPXicx45y+2SOHr9ccL2JtE2H/NRYMS+HKKf0mRb+DU8xlt0M+bvg2NUWJtiioV6JmC689mN3hXssCu1GnxMN99pfPrIFqRrpFOlUHNjA/j71sO2BxprmIU0vETKFFO8d9EE2/plSNcVKxqgibeovNv3r/ddKivzMjlrapHyVAKeSCSfW52Wm2SvNQBJaFFmV/XKoZZNTTtdDqbmEZNa9U+mLDpTDqgjT3ysidtx5xjTNi65l0CM21AzE/u3TiiQbZrQbkYI6Izel0lZNag5qbiXVI3G5VMORmzTJwFYrg3sLp5CE7CZXBN3aSViBBJ64A0GNaJ2yLUuNZGPPwzAjm1eM7GNn8YYneV8webIZHvbT+YLuzUlkOtu7ySrD9Iy8ZkDZAzptG4246aMmnJeGG9f87KxHsg4nE2VsDpT3BLmnjlivf+yrYiXIryWUJztK5nS7U3TgjzuqiAWRjpwbC+7H2IsaUShoLSgCT1vnGuH1XecYWIsFAtRigSE9FzFZUXvQn6KPiiArNV6R51EhO+rj4BvTey4f9eYcyzYf4mvHOAsOD0SnGkJsQxBNekJ8DMFalRm222lEixKlTkQOrx2GWnmxUdli1TshlPslaCmQIwcEtiCZxkwdmZhYRd0nATY8O1MmH9zkxV7tQPdK15kuZjTrdyogYSt2UHyGpVvnzBmrqeJlZfxopoENqE2MLD0kTFQmqtQ7WQZxe7X5VJvwua2lNzVBIcn7uQ+NZaoKCOja1Sz9aofGsiRVIRSLyDiCzpZVp3nqKkzZUP7q7o5W4SkzvcArXfRIVsTLHCRLHsuLBud2giy2iYk1M9nqm+HYkrvfvaltgadC+oDZyZmJ5W/PUL2mcu2K5W+QDOvRBhh+LnhvuQ0HnQbmOD1mrbrv+hfSZ/17NuOtXBtaxxZzoQklG1/xYjiANhPrRRWo8ixMvTqIj2bqp6iZ0uJ9f7PhVrZqtWUfw4K/yFiyx749E3xhZgH44to824/w5TLDjJseXsAPZQYW2DA7FVzDPbbEWgO64s5ed6iHStNUmf+zjyrNKkBDBWAeeJyTDeVrWHDYYfOCMccl7BqufiuEaC3ZstTQ4BD9GH3loBtpvfn8DbMOVdBozK5euYyhla2cWjSrCHbjixyYpvw2oNzaDDCzYFXBQXWI+ZJbkGdkDm5TSgXyjK7BlvL2ke4rISsMvbGrYZzcntjfE/f7Rt0KIclSip35rPqrlzWd2jVaT/oqnVGpY5vp6oFjW1T8nRK97NBT3SmRpbXYiHWlRAHeoYj1Fp9zQjOQuo4ukgei/m/OveXZR6MIgA1CGhCYU8IFfyWhAKvJTEU/WLXhlE9OUkppLkytr9idtHLca+Y8bJX7pzezHdMbLyw7Xk8uLcGlzTbhRPBXa2H+e+IlsELKYkBwRJw3bTgDX1sABqRYEcMdNAN1RuYHntJtbNDMrMJBfOHS+UpllBiXMuqCbVLPfv3CU5JkpdLVgfT/6G2T/QlTZid9TrS3bxjB1346LgKdXPpxN2xYo3dlmfCEsu8fUrwMykuLglClRMKsvdTsxqA+aTfsmt3Br4SSYrNXLKEZSZm6e0kKaXuivCSgk++HBWUq6TG5l4986F2ejaQ5aJCKFFTZKl7KFnJwtQgSkeeGi4mW076fWgM6mRT33HvwXBJfYw8RHibHvhORF2X/DiJsGyU7xlOx8/G0ieAJFPplHUkxuhi9aa7KLNuTryXNnPEzFTll3HMN3iCUiZGnq2n1jCUuTUzdiITXjN9B6nOBqkB0qqx1yiso5pPvamhnLJ3auKxXFQKV1TU7OzmzRBdABe/9/LlwvS+85ZXM++V6aqczyJx1Gzthm1g9TYvWnf9pSfvnyJL2imX4d7ye8ltLrb7GEtIyAVJ5jmDY3KZAMpotBl5TtEdkbklWYnP3fWw8gOaFGbULQHKnjio5EMNi7Kmbh25D1aa+oUYsHMgyLJONi/ytcmzqNMOLaqROiTAzkZrMmZKJ+VX9736mKTH8nBNmY+5KnmRApfmTLYR3gOYTCL21U1aJnQ97HxzzK/t1nr7pFysR+ZLxum5288HyaaPyEa/XlslSndrS15RGLIBxi99pHKQDV+LCUXc1GcctpU6DQzeN18vnrMxXl+TWcZoXvnADcd32fNKvwfbDsFztDNDPYctvmJ+vLu2S+pS3mk30rQdtj5wLA3RTOHOHyPCCHVPDSupW7TFr2be9uj5B24kLk3Zs7pTvE54as/QXNWFydfmgJBvLPveAJGuA/cTTg0R7Ri5cfqavd5q5D6alWQtQtr/x43feHLcsdZ25KXT9GJU8A+VWRrgHZSfIlkpGl1kvC9AVZWCcFBkdYQQKuEKtj9La0Kao6iifGU5lJIwqv5CZfZ6/vpp1ZWjiS8Y6i8JYXvaRDQWDcyEPnhYHklxxTeZszallFiNHtBASs3jt9z3+ZQ7prJLdhK3qaP/TAGncZXvKUjFwcG7ffySMJ1mZgmFnvpGt+fkZefHmnuZFBr+SmTOIuGEt9z4btotYz9zJfZvWOHV4WoaRMXVnRO4jcD0iFa9hxrz1T8MHpu4mXK5asvUaJF4Lu+El+9z0BXgMVjrdSFAbkaXm9DhdfaTTaMv1fgLLQt/37rnyiw9OxvihLsZxdTmcRhLsnU9EXixOHHdld8XHXtk2rs6+p8rlKwNHcJufurLtZkRaJmNamhdLnylqrIm85pZC2soDhq9X+Ea6xFGZ7qh8ngi9flV9w12pf4jMJEZKI78wTJSSG5pU9ZSHhVvDgk6qxwj+qhJQ5TQXcrpm9KbWEqiKHhusNNVlLMG5tkdRlj2b2mGIL8U9Yenr8ffLvKzlKRAaRJ96hY/dXTAohq9u9Y4hd9/rHfLLft+9Y54zxkUZy8fZyCNR6+h3ynDSmEaHnkX2L5EHxq7M2DoS51lm+B5RZZKAUqsyI28MfZKIFJQ5ElWx32HNgvEU7iMvQMaUPk7yfCJvsYStKiYrEEuQ1r+ZU8kyG8EzYMFz/ne+JtQu4ivz28GZcYRzKJauuNAzScSeOnlRx3MWIFXhk24dh+ktmRcRDgHxVYWnH0aSDJ2Zq/8eYweUOOGrDvLytir3bfMhZVyRFDRl2YCRYSlK3fjdyNREdvLYzMpiS+s4Notj/CHVkBcZWjTPOUlhRb0LyFe+rHz4PlrTSMVbkBnd20QuLfzjSl4M3EjzgdW6/a9hVWWBO1u90kyXtjAjGZzYQTfoF2x66nWN6sVq2HcSGhspAq9KRJ6b+4RzjC7c6IQ1gn0LKbYsdfazqopcDmo0ECoVyfGOxsdby96y7CA1Js24vGHR4L6wQU/Pw+sr6ri8/jexPNLudPT0/h+x9A6Y4dtVMLzCuZc2oNjt/Hx2Ra56AlUTBlrVWp9dMo0gYmJXnQ27jqpIP8Ye5mOrh4V7xyIWS5FiZ3z1Mu66QofHQgyWEfFoE79agnMZnCDzvGEC9qnDLoC29oewNUtrV86IES+PrTX20sAjvPzxhLx63kWJ+UxV3b1nn1z1nMoRZYM17iEpm1YEF/q1hKH01qoK01TgxgkMIYNW8bRtEKmzK+mWsoz2HRmkNoUTm1+5AilHOi24O3SMrT+e380rK7kvAOUcsL0p+XADxdZnIxyR5Ytlmab76PYZli+i5gE1xi0VHFfofNJKFX9EyUTEKgedFLuFKk+RkMBUM3rV1VylZcp0nVl3qIvmEQ01tjtkbDhWcnAvTE/SRYnFXsHtybTyi89vyAufK/G5zIysvGSZTeCwcWBv7guhzDd/IK/6hgbe9cLccbHjLUVIQVLaYhbb9ugjnTYTegITXDcs9KLKcr/1qUnXsKbJnnwaVdcytpT0OZLyPeHWEjNOcsr4StIcJsMxCipt1178Ogkt4XJmyZJbkbrg6ENZwEbU2QAo8oD0ZUMFzEJgaUjtunG3sCPvSm5VyRuRQkZeML49+9NLwkTykizN/4H5P8pptldMnf1p2L+ok2Kxymivc35sGaot4V/MiCVqbV2WT+6r5ldiNVmoQQtUpO6vS4+zKoOgQJqDPAhom8flux1kn2++UAnkowsA/tOfPt98Of/w5k9/cjG3WyopGz2TOyHvYqYsP3jBvlQEmx62USMY5bGFCJ+zE7dKSf0c0MQ8F3sEFWYlJHDFkpgMpGFKQkCcx7eCDPgHYg262FHWb078ZOuArX0ee1BzfWKnqKtyiXQp9DJVWsbOfLf52mgGseZbGu0drXI+8Iykxya7HBqD9UQan2xyyHvx+S5miBUbNTRVU0UzxB471cFqRAPT7Kb3DDPlo+sJPt5wYcB7+f9Dn+pBZHad/57liKUNG70HMgnyWQ5H5cedwifECYK2Wjvb0Etf6DqivYqys3Uyf7Bmt97JfdgzXZWsZqfwh9mkrxVlmVnrqpjLzPOMq8tmbputxGXUQQ3rgRIG41GFVcz1woiIR8znmMBrG27ts48uRJ6XvGuJ6qHjxxVueiq6W7jXf4NhmbrGpo6TrJ+KbU55+t9i2Gt2wKapZsdwhiej6xNugVOlKljCRLQo0VNp8Bb9jkredzp869AVz4uFwGLG89ubGXnv7KiHoNRhIF9PGkow/8c1+VqCHKndWmZ8IaFbqRM3uKFhEN2TD1XS2WBYVy2lJxEf0uagInYbATNocZTh6KFR9YBz7MnjpvEbNNCMyhxht8ywCOYFWkRMQK4HLdNoXWlbY8atdtUaOqW6KxU+ddwl8GSTUxkrraQed1/QXvviJ3ufaNILp4oy5mIT/SwksIqbQFUPvFrbUksIw4rlbwijFjR6JwxXcSr68bJO9wWL/eD4ym05GNEzOmi+oIltjBI//cSMrXhE5b0x8HJdbP/C7/Um+vue8EWi5SJVUeuuN0Y3Ix/neQoYeJvR6ByDL4CvGY+YFNkfGiM2mi9WC7VjOonOP/hilYmdonn82JXm2Fxv8UZH8LokfME4JjthvACZL/fRAt57YxfJHc7gW5phnBVWLAoptFjEd0nZ0bd/WViLY/yxM7S7mYn1IsVYbDNw/Pi3hC9yer/QOpbZoD2wOdEZIDwKOeNIoBnHA11kapEts0Vst2hr7D8jDh69Mnhj7Ni1EJtjx87qbY79V8Sxf0Ec+38gjv0/Ecf+d5yxtSgyugQMllKPHl8944u8zKzwvdwjvJPV4MUdglySlxlb5wWO9G2kTJqtYwch+ZEZhlCi4GsS3zbCF8oFJCLsoJIJjjZpBsbRJtVelQVCL9KE12nVKKqqFtqoHnCPwEK00EYxwxrbqjUog5ec3XPKhYIE4RBufzGrgvQobH8Rhd4ATRHMaiIvFkmGYMM2AyM4Sey4crnX8c2iZmSFMnJRLhB8GolkmiU0Q0ggUgu6Bp7sI0ZdNcfmNNv/DukSA/d2YcuAoozsysHgoHaBtSijL9fF9hccG7RaLJn+d5RCY4laxO0V1xlYiuisWqFcczsqJDJ+lptyNv5ovbYaA4PeODt/fOOIG9yKfSiDu2ry8SrINcZesQwwdBi1WGFsIlvFTM5uD4whG6gFK2yQ4gKF1bFi+5dU6aJXzD/S2EomKGNnbAUYaoyyhuYcUhYtYbQ9NuM4pyQXaZmBSgTGavvB2RqBN4lC7aiO2vO/MfpQBHmUgSWsmdKSxreEHMZGkPgkFFhLLdHWWtlK5BKJv7rIfHfEEUbXEmiOIEi6VCAs2HjC9W4jmFq4DrPxR99TSVEOeDqSCBtj5K3rbx97XKY05dH7HKdKL0sZq1lgNSq4XkEYo5bRscaXo6uc5NjD2s4Nq/jNro+tNDA15pqmaew7wNLYbtWqdBDCW8TyRSKFyFGqEpmBEdQ0li9wgiN9xSOMZS7uopdnKlT8kqWsUIVkkQfNqGa6jB59ljEO8UrsHEZVUTvq1OPa5Nv4Zq1MuKqni1Umoj/n9eAIIf9G543OdcygCBzH6NAIUKPHJmRijXJ0+RrlAhdCxmZg+bJcY1yznKkEgy3kCuXAYvSB4KBtcaXo40bn4a4AdOyIPzdq7HA8vtvF1kBQMsqEawAdXRMV8SUjIdl6MdCP68nj7jjI+G9WsXBNeaMPG7Uz9WFY1+IV5ZAhJG76njixmYEfNjY3KBbOkBQdLlXKfLhINrHy/HtDw33BojsCCpD5WlKuezV3Y4y8Qxk4/tPrKpF9+tTpAhphYCnWC6qKiA0DmkNLGntUCTTDkO8kJHYdXNVRpMHjL7IZOW4J18bIQqYIiOMbMhWCbVg52zBCPICC2IEAruExgnKi4Gv8AzBUoDXaqAiqlGJrBMarithWNiUTjHsgkzS6IK1kMlQVN8LAOl6LreaYpYpeVXOb8NiJEoPdYp86qCvSGXv6eq3jHys3aHyPXt3TM/a4+yJ6tdYyXaLEoZcyQ3gLSwVykbLYWe8obSsqzxDGMuhEaZrHtgZvF4wrTVcIksGWSY0hhm8LjlC6SQtZ8phm1qGyaAMVRc9LLciHkpMe6Tp6BLFZ3measZRcSEiZJhdUpr6aobLl34fhuM5ZiKs01iHUDmOb6BNb3yARGRlK1anjIRjHW7k3eZGJPfQaCz64fitRRivqHXjGzBo6m5HtdyZhDfckp91CCwdfLF+X3WYg6CAzpmxzhoq633pbQImosiiE1KRfeJSQ3YZqwjQpJKzGjsITwnIf04RiaOG91lFDIIz7yu4jdaEzxrE78jegGmpNnIposQa9AXl2+L7aiLL3ohHCYQuybkekBSmoVEBuQFPbEdzdVVovwYtrsVavZy7t9Qdy6Vt8vSR6M9ClyBYD/gC+9bGFzckt6C9Mc1DD+9w/1CiLt7Itu+tbZIm7ySqgMtmcMc4G8dmeuyeor91hn7YXhg2GeJ3Rkttev+vS9nGtirgPF3Dv1GufmBN+Oe56TnURbt+/eETZNxuxiJjTFFZ51ZIlH+Fe21sxZi44RTfqEYZ0aFx3aztU82yk46WtnovYDtzWz1WgiYSvJSg9UbT7+Gjlx9fKdyKDbcvjqDqO3bVI1XGnbXPKFCaHyPrGWn+3FdrVr4Mzj9n7/+H+hobY1WXFFCzt4bNhtYZ4QbyPPMLmcVlSBcSFa9doSO9W1bvkf/E8eHndCr5GLqQrXz+4jIRQRRSAbXdGp/tVScoVTU7Q3rdXYdqR5lbsPRyapJS2A9oU6AJkzpy4cSrQB5KuMQfbsgzWQDLYQkaoUmzN3cYd+vUPH31bkvkZ+belP3HSl8/S6dkgKzn7WkK3TSIdvnwNvMdVTDyuC0ol0bDUXchEcA42toLsmN6MMQpCBjJDaoldwlHpRY9WLcxyWn5SP1GZWLOEZsQgGFF9LIrnRWdJjbRpfL61KzZ7NQyvEc62E52o1tgPPM0YVYuNQNcJnBJXq2u2l8qhqZHhis0WPMP1AIi7NAatfdN8I5YkAyrPzjMljCLeum+X1llO3vlfnJFzvq//1RtdW11ecU1oepaIvCg1yGE2jGLGNxPDU8++6+6F7bHY2hCm/1X+9Ocf/93ovpeN7ahW7LtB2P6cLuJ6zEINN3QPkvyP2ianXnsYFtzwrY+d/4N/5vkBc+vUT+7HkcHLD/G277sNUwydM3L7/uMbM3eQ4Iwn1l6aMpVIKChP9kaq9OJZ1o0FIXaFXpKPN7+SK65//uklubq9fPPPX8mnK65/+Qt5sdvsCQemNyBJshHKt0oTUkKi7bd+/OX//j9++H5wRUBvEHlcdz0sTz3L6XA7HoV8+h55zefuLF5VoIavePptgW7ypgeQH1kwLviBH8LbEUwP2slnJnVJM3J9fjsI9nfBAc+WddzJ+H8Fh7PhtTVw/zAs1E7kYeZpt+BbfIMn9mFNNezoM7RIt6d7Rs7TVFo7rTvlQ3DqpzfJi2P9nE/1hVxd3MzcqzTqHsupOqH3o2VUcpKqf7vJ1cxAGbF+mTU8shNElDU0tMfXsJLEFq671mkZRAMuTVNmvkyzg8O20ct/+J074QEwKqG94MLf8Mv2EehBOcRao8h1oU8aJbce4UxIXbPkHtNNrYPNbgDT+4c5rzrx2rv5ML6uHpNqWjdjC89hSG88lRXXo7OaL1VKJMyInM5u1JNxiOHLkvI1nNWqUyL4iq1LCSlZ7u2YwFMbNTTMZ4ojSw/0kkZHpOVBoiuEegdZRNm/mcIV3QAgIRcaFj6yO36cUfylTbla0IULxUcYutASZ/AVwpFYIWQLZxjXAav+SYGwqDRdVJY4PLG8q8GbeZx1qTWNCc8gwb7RG5AcNPm4L+Al+VQ9Y9fWAPYzmVUGsN5L8H5MUqta9ZxAmBhRjSvQ3i7+ktAsGxQmisMXbYAblTYwbwvSvIGMa0GUto854+TT1ShDSWyALBq/is6yzaCiQGj7ZgaWoGJH9JphEVJc3IsYOxTd2tsR0LrWCosM+Dp6p0iL2QgfiFLoiATqRB6aNRwwnCQ2nGBFKHkr5I7KtN+nm5DztQ32koSaG39vY+mWoHcAfFj0jFw18bE+bqFp1nTVOTDEloy3kRG9GTLu41xtWELOtGFLvsXG8BS3GeWn8OMHGCirAJGGibI3wbbJ8uBJ2RoNdm0V2PbLE9tTCYmtQrCNVw8uzGNPpWZJmVFJbL1oUoF48eb+12uxFqvVcPd3SBZ6A+jb2wL70RB0t7GB+43BbeCel3oDXPtg8VHYqoxZOSEsoMeRHIf+SYEcBSxKnYjTrrQnOQ54XiYJKDWC2VYeP6442nGBJxYXMSLuWsg9GUhM6GE7BXNqYYQORsOVrINPFYKbd8XwrSHhsP4h6QlK7Vlt49WjG3k3KXFVS23OQMYgrefj7TAdeZhxopguB/gnsckF4Fm0H3VDFaGpKMzrojfAJBE7ftgyt3Ca3gsu8pG4WtuTQzFXov60QoQR7hlPDf8RUtULQMlblgE598DOessQYuzl9cTcnRwNGK/n/yzhCqNLMPdRC3FXYWiOAwsRM9/9CQvh4vXmPl8j9kqMB4QuBWb2wMDkl7ChWyZKK10mIi+kyNlIhCKcGtwbTpeZTSJbkYtpbIxva7aDCLKLsCV1kkEALYRRm8scAXCAfo0Pe3cbr+zhvo0eu0OaZcl1N50ttkSf2jTwRXKMWh8kBdn3eA0cJEuqKdkFsYF+3dACpjf2qR3q7UY82LPkxzOl5bjzs5rTMWW3nm1OP03PyYsXjhbivAZV01oJ1ywHZfi6k/YkFDDqRPK7EK0oxIMbYQsPPnEbZODROqZ297MdrZ/D5vTjQkVrcho8NW8wfmiGvbnZGR8YQgAz+OPO7qcHZydPunfuokWZm3x456LVUj0NA3mAj9cM5I97HH9+eMtitTY4zZaF8Ud5Ug4S844F8I+THseYc+sdxlqotyloHTt19MydUm8WOeiNeAYvCW1ZkomD4b82uuG2lpIUqFanCa/OB5F5e60BMnEukSwh/zz765//TF5cX57PfiCXTGnG1yVTG0htKvwglkysBXpdoClPmI2WXTkcfpvtF0cixqRAtipO5X+aXR1CUN8Ya5GP1vT5MdclsWH/dd5vw/BnMQ35TCkfKpN+iBSjWazqdJ2JfKApK5WjQIQkiuUso9KxJ8M2zR1K7Ls+nF5l77li6SkrjTQj5T+Zg1BZETt1MQ+XHC/P4pxP3XXr1vCZhg37rzcS2U96Z8EbbqCRlpEOmzKFxAwM6Lls7FILuaac/T4RVc3xjkLoYh+x0s0zNbLcKyYHc0mRqv68NeTsa+FKfLnaRa2o5ndAM71JqARSSEhFzjgdTLhrsKcZ1Qy4Vg+Gx2f0lLO9ps86WVf6EQqkg2uuzveGcRVUalsM6TDVabZ6wmJHntmEcNQVpCCphnQRLahs4nwY5vO2olg7z2ZSbFlaFw/z36NFkXlJtXcwfPEf86y1ZdphAecwSZaeaJY1SV/rT+9HpjnYPNRGTm6Z855vuoL7SAm4WuiM2RT8sZIn3FuZqfGjRib0emCiTka1EitVRGkhHcc3o+WgqaX2vf3WmfnW98Ozz1maZnA6Lndj6YXyuYHtbfC9o/hc1R7jNNOdeWqNCkN8X3lnX5Iio2bLzPssJAGeyH0xZuW3oZAn0CcDIuhkrVu+E0qTG5psGB9R6VKKxDm+6671J24j/QsJhn0Y+cgVOVNn5DqlBfls/+Hko1Rwl3f6r/7jSTZ0C0ZyyoBK8rUEuSe2BqEqBFdQSVTDyalmvgv7m9PwS18DLzEjS1ZVgeRu+q4u3zjOakongHo4QB98cdRQpLbLE67BrHvGq9LSrSJGRjf0Dy9TRJacD+qx6mX98jjPsysjNZJj50dceA0TfyMo2TGeip0iqoCErVhiPnk5lCfo42T7F8RMz+E9xNyQF7YiLPDk8AxZ1+UPjdUiJbfv+DWsabInn1S78G3tgc27ibTRo2sNhRMo7COvfVPVslBsrpo9ZOZF7K14XQdgIPu/lWlq03n6y9eeNr5APVad14nXAzO2Mxw8aP43R0z2NHG9Y1P1Eb7e9F7xujd26uNVQPuzOY3BrnYYtPfmEJDptqG3Q8MFKR5OfrZpAzFbAo5muNkpp7Bi3NvqLXOyVf1yWowUHbTojkoUQ8J2MMB0xL/YjLG22WLP3ddSGqlNWduwtabJJj9xCfwDVbvgpKcdNbcDpcnLkvF4HcSi3g0zZZtUiPt4DjCpZtqO3RZXRvuQ3j/QtbOHGvftewB1QWV1psyfXx6mstuwXil1Ym6H0WVd8HvQ9HT0niWurIWQe7wN/w9VUP5fD1aMqYC0q6hX4vnQ02SW5T9e29EfmNuziUS9WVX11qdnNXoKFsC1FMUxrCMV5bJnXAg6456m0bbhgXQEi9Fld5z2Hl6IvKB8X99He+1sO32nr2xBmmdowfhKDAsFVN1h5wg9wD86WmSFbAe4VdFXX7FiBN6WWbYn/yhpxlYMUnJp856dcXAQyg6Wi0SIO/ZMTvcvsCSO/kF/ptmYNB+92uzBHV6U2orcR7Ywffiuf6hJ+C473hztbPJn5OO+cFM/WA7M4rgdHN88CatF1GKyHdgGgzNEyO/VUNnaLphTmOpq4bKNzlkWCyEra791MX+4HtnyRq2cyMepWosCtw/RxFIYyg9a7iuYUggkSaQNytAx+0EKqodNkwlfUBXT298YWPp0+sgjlzKLuM2NUSPuSq2MLkoZyxrSGFOBXNB1PJ3yMHT056k9dNTwx/bQ/tQjMBa418CtaBVfOTHjRzvNtaC3kdAJlYktUTkSp8glbPHcj5asFa9e+/++8BBe+//wcU1DZn+agRyOzvPTeUbvuZtM03luLa6NVmu96aS+IZpRqRhfgZQjftf+vE8yr6bg/+DSD5pnTwCyqku8amzDwJWybm2BeqUGSJzs+L1xfntz7D7aCGLZ/NPfoR+gNd7wkxUbkKexRxiZ3Uc8vbiwrR9/IBeW/jA0kPpExVJG1vkCpG/+Ca0ozInivIDqOm4sZGPDDdHvVaNS9OROs9+PtUo+vjTK8G6TOft92FrD7pB4ytXf3xAOa6GZ28BiQ9VIByiVnLqsUGMrHfHx5oJmq9E6QPUCXDpnrCqcXuXfDAekKLY+RUZFu75R3fXw42ijZcNNmFJldKHTjmyDpfCsdU/zoViEICWqDbS3KU3u+cYQJ3PrnJ7iTieJkKgrg3sv8ou5De2cfowa3PM4kI/nnhMYx1moUtlii/mid12q3pA9CCZdmKNHy+hlGhXWwOwOvEaNVNzgu0O7kuaDZHnrX4iy/johydX8/O83MzIz7xR5z0e6rxzQImVSH4P2404Mo7VsKNlAcqeOMiKHMWHcGmRDTefqep11iTAbBupbEB644ISUC5L1ikI+g5DrcNRVQUaVBotZU12erMNnE+WWZix1B3EARJcRnqyq9RQjtCt2B3vVZduRTn4VQBp57I3WhVow24MWZWi7lRgLktBv4DaxNa8yX4Rkev/AjUpEnqPWiQvE7XB4g9BwCv6OSci6mmZsE8suo3yh1HM1vDWUHQ//4mdb5WgNonWpxotCsFOEVQ8BdgiIRWBBDWsDdlmTDeW8VzgDu9yUp2qBjPhsT1S2uX5YfM/DL9fnt/7de90hXz8oWsiu7T96zTam7hZbkZVYC3Be9XHmvs9N3Rm7audbcqYVeeFAqB9stQ6b2Ft11O0MTyzowdlkJRI3u/ZYP3GmfbjAWTvpYAvSRgqsyowkgidQaKMoz90ejpRX2O0wua9beKOwVy20DdBCSE2EWd93/30+FII7uOyxz52Q69MHWHYTDFom1iV1xU4GC8X87c372dWM3ND7nPG0bus9vK1mbicPw2w1URyZlp9Gb3ZT06rFp+GUxejh2S7LcbE6XcLmcyfhV1NGFztaxjLPla8ufZVej2ISYXa6TXnmWgHVjPP/5fOG68QcnvYlydi329pLjAr9TNGNvl211eJrp27ukntfElUOhKhTRf5DaSn4+r+WGU3uMqY0pP/x2v/tZf0p4ytIhj9aMQk7mg0KMnSZNX5DKE+JEmTkWEpYM6Xl3mj2p2QWBdUbX6y/xkC6GHogrVHqVDBdIrTL10qEbFQhr+XJGjlw3YhJqaOAhdSMQ/MGDJ/xFpJ24P1be/hdbEY1Hnlr/uP9vPHFyWBklsHZhqrNWSKTn7tm1uAV+q/eYbv4cPHzT+QdVZsqPLz+ygiQwVM7du8JMTorVfArWYLuWkNSWNEy0ws781/Jima9pOwH4N+ItMzAssGCSsX42i2sWWG1V5lYdwvLD60yaSvQjhv1vjG9zgFgzf/OXQaxbUhq+c2LD+eXV5/mPwwvexvZnWa9hycWrozKnJwnd1zsMkjXQD42aU2AQluo1ps0BWAozikKhrm169Y5Kh2zyySkgQ5GkUC9O68JkBxUK5l8HFK/weQBTq+VayCSgVCPSQBDDnkS6bT41N2W430SzFoOzToilL+1mOEEliGuGQvLpYPRrj05gSXvRdnHQmKGtiWmAmD0QlsPIMbqAgWBMCzNNuOBRPBUkVe23rytjQMpUYwnYKuftbu/TeHsGVlJnOWytbjs+OQVgfWZ++///O5G/M6yjL7+69mfvwsAaJh6T4MkcRbTvRiNOmETMPqhpCTWs9UcehwBp9les0QNOX0jQfloLcvOrdxK2FXl0rcKtEp1BeURqN0IeLBXGV23wTnQoe8dFvdynoRZSwOdQFG8+mYemKJAE4w+WlEkKa0rz0k/vtBGUdhSFFJkQQjRGMOhEl8YezDf71l9SaR9a4C5cIvTKx88hUx2vQooyD4wdUeuYQtBO6cSivRKf+z0CT2fvXRJ+sTQ5JBaU0QK2ho1fFG0dWm+GAQcS7h4JKMYDBpBwNINDJmAhMi5moB0GPvyDrnoGsN55el7lOpgfzRI8jnQjNVmIQjvsa9LZElCi+Y0PiyWZccOVSbsl4fbskXCY9ZKS7ZegyQF1RokV5ZDOfNkcgc6pZq6Vg9LquCXvxDgiWi1rw6bwMRjGWNJ6xJSKXntOlOH4kN7xR2woAe8TNnUAg3EaoSCMCOHY1CJGHCCRDtqDs28RWQa0KS97vhlseeeNRLlDK0QSHqDZ/Zw4WXewRxq/Cj1Bu1mtbuXhB0ivSmk6CXURUL00ZXV1CIRmW8OwJlmtBKl2mWbw+CO1IPGWMEOqVFYS8rTHUt7QfGRUP13b/gpJBzShSx7RT8iYbk9vyBfSyop14yDgWbEiQ+ld9kGI+wHhqAC9AlxVwFC+5LyEepxttLAaQ0wjkRoDnqwEkgsOJZCsxxPKCoE4dSDeYxouhyIUiWRPCG+3O0cwp7jhGZZP3YlEpgLmmUgA3FIyUAuAOnVMyzde3LJhaNFgKevXPRrFWIXytD7SSMkjjB3eTs/pIWErdtgjQaC8rD0iI3DQmKTFxe+Rm3wXUtSaWV2LDXwoj/+OBbgWtKM0ykh/Enn58JRILfnH8OOD5rB/2IgkWkSBqJNuJmtEGZYMYA2VCFJRk08LSrjeFZrqnt9GWPBEXzF1qV0l9zQYcsyaNtWa7H87RSgOr3XphD1qmEhQWrRmQKEZpJo47FVob2bIejqr9b6vhC7CaXkaayohe7jP0mb1jiuwVSTSKDq1JyLDpWH4OAxp/n8XZ3oEsicNlQpNiVCPm3j3PBhh2g4PZfgeWor/0aYYyjZrDdAU5BIToR3Hz/OyLsOhXE0WSqWvyGyA26L9XpuGbaBttTKYjLs6EmovrAV81Squv0hqESZYgaMXRgCwaFrFk6psMw3DkxYyE0isjIfX5QnXfzP769m5KJNYAJInlOOdZSvr8hFh8AkkpKjhfHNb29mFkybxgQc8+7Z4FEstaz9tHZJTSEzDIIN9zCOhM0q2a6AU8WRqsJjQQit8RIJWuWtq8iQXKSBqLSk/UTdSLi+nL+1+e0Hm7MEpSWzKxfCLZ3+mTJFZT7hDH4SSKd2V69vuMrrvoio2zkCrrKdDa+xb7J79UPw2WrZONg+z27JRbve6gSQfn8tEksSL7lWrlG0UxUCL2PJNS0mLKZPAXWo2n1eFORCy4xkYq0IVUokztVSNf4PD+h2kLfoiD/Hwpqw1fjZi4T24urtPBbeNEM/DpfXs2hoOfriXt5GW9uh5lrR8bpAlUiIV/0qvJHhrlaxsLIC/SxczaKdBTVheoyEdj5/Fw8t+rmdz69jod1R9GNrJLpYaDvdUzDQwpKsWKZBxgBdlEhSzOxTpyPnOAb5gO3gaUCcctPoQBJsR5BMs4RmiLLeYVcrYsSoiXwdokf0uhmQWAaO7ooFhlAnMmt98VtBNR2/9qQNnIscmt8LgLMFNJPi5zdBVsSUQr8UWSQMl3ZswoOiPFKqqaR8Ii/tiVg0JXZ8a0eQUAipA25W2q+ZEA9RyLKkXD0QgHZs+MulkYBDI87SfgsGEmkdHnNjXF4EE3ywY0k0RJ4I6VCZgLXFDee4BBsbFB7GkcKWcT1UzScSonfnlkYC5IprkCuahAbkpbDFMyr5hQqzk6SbpFjkaihEOAaUdxczchOaPp6a7UK7YXXpLVZtVggitLwspYTycmqLyiSWTKzlFDc+Ptj7kqk7I0CvGV8TGcaXswLuteyW2yCRdux6Ruzwg8WDxkGJZKSddjRUK8bXIAvJuDbkStvLuEN0Al9OGU+0zGxc9UA9IhJJ0L96O/fUbAg3adMKBDjJpeLiC+RXNTzMGN0euA6xAHgIwboWlY8bDomqPoDBewObmAKl3BpV5TFCPmQe3cGBWLuqHgN2pOo0ib+MPUoPoHPWD5be46yhR+VtLEEKVQMWXs51G1fggiH5yi5tvzNztKzNKWXKhSHahJZ2D/sJbHqB5qU9Vv4xv9IrKbBSWwZxkRa9KXCogQpNbMFhCqnSJ9CEDsDSR2tFFiCm9tEDF/iyK72iORuoohkd1/s56ZCaQrXZDfZUR8D17gvpkHoIV78LAx4wGWZDtzwDtNriGUsGWIZyqUNB8ITCe8g7xyz0WdJCnWwz388ftZkPmd6eJFs0YAWb4ZTGy0BrAprPg4QdpdXpLqISK72jst+AZQpfyY0OY8RKVNW4AdNR9MlXkIZrx0qXJdbefvp0aPDUBHs1C4/tTdHQWVPZp5ATB7QQWYLlg3tzPnt/7ctadOK6phHhiRQtSGHCBLhujjhL9GUDto/Gof4HYaoiCSkRknARsmx1y0mkdTu0tAy14kMhBgpRxzlYZuhDPfFMJNa1G5gLAaoY6IBHIi3UfNbJFg0CZJOWVkIiJZAYVB97JMYB3U/s3JOA3FCWkTf3yYbyNfgK05e3cyJBFYIrIJSrHUiiIDCUAPxYfxi4ha1EpqrOq0j77cnYcKE+rSl4DEvVtAHxfyupTG35dMlS8PRsaRilaR5QgGVFc7UoaNmru03isJa6GPc5p9leMVee6YZyurb1rOrCArMWhgm8v+N5WixYC/R3kOTau1w+BBnnV4mGXGEVuGtmP7zxPRnIfH4bhAtNMGqiCpKPbO11HCy3H2e+2l6HygSYDJyJEgfRR1f/VYOsu074ehB7V+1n5VpDBD6z5lsbqjZopWLeegLBKoGb3FTNiggOPbt+4TY0bIv7AVPYeTdfRTRpXM+ILDMINGY4OIgGxsPqhOkCthnG2rxhRgLAAXXONVMFza3Q1m4+MoVrR2UK6QrLtujSnrxye6AXAO1rivXG/OMy5D2RNAe8I1Qn0vfpTEACSJm6G+qM2AT2NEFGAthAj94wE7gEkv7x1gjO0DxCYWgW2yQr1dSL98QYU1tWbMukLmlGPC3fzzIAoaJbkCnDKpz9dn5OugTGweyc1XOoC2gkPF9gSQop7vfewBrIxddUw46OaxXHxjD8zY1LWNHkS2Q2m4k3lWjlIlMDMMpmA4UuwqfpkJALuQ+urGyba2CVtLBdGlyDjRBxYENfFZKNF5d8EpZ352QmmW3wHIJkgdh15N15aP3PDV3gebDfnZMPQe7qDeWp2tA7tEos1+Rdj8QEGqz6ULbLlxWBiFiRVOx4JmgarIFslilfSKAKyyr6DqjUS6DaYiMdUuO42HqDmPryrhqerOhSsoSoMs9piDKyEVgRNu+E0mGvBaOYbpHtL4QFCK0syYukWRMhLpCGx2hm+xg7T9LVxc0svEOWwYhWPdMJRsWTwOEJ3bac9L6wXOGRuKoe0kgS5S3onZB3REu6WrFkiN44Nr5QBcNZsavZ/M0FYXwpSp6S+ewqBE5i0SuQjGYcSQq48lSIIxMse1d9SrFQeVPXzc08HIt5labz9J5sy6lIuUZNWVieXiPqHdNrf3UgE2ySYxyrTVR14pltahLEG1xtcywLynvJ1oxTW3TAh+Zawq57d21Yqp0jIYC70ZdRAX+AzEZcPCLIEy/r5igwW5qxNKdI9mfzCt2cX9TKp43X9UTJ+08hLDZ+YH+1TiFB/QzxiT7gCDStjlOLgObv7seHkAEFVCYBZUvvGFZpN1tkrjX8KIiM8onslOPdh9fnt+aVFznj64PEwslyryHAUpFRLspx7v00XKLUTlY5AhdQLO+wjaxqjz8OgyXAFSwyhtYK8Ybes7zMG8UOGh5OZw0zovu1QxICeQrq02oqehurT7X4AE5CINctkhPIOBKjsvewNfwEiImKfDH7vAZAEQmdEDOPfDyuzaiGZdvWmmQ2m102aheGoEJK/r0W63Adz8pXODh8raCQ9L1M7BBtPG+dZadHZBQOmhRkWWJOk3DHTk4zoygsUtrrr08iMRtzpz0ZSEmL0MOw0GozDMB6XIWTnPISSb6+MUPTRJcy2K+TU6VBpkqjna0bS6F5ujxn2gilnbydl5lmRQaEe8tLrSAEnUQzvpIJqo7gqLRUhcYsbFutDVVPnAmkrMzxGY6jExrMnQOSP9n71ErzIPisSOtgYyqsUXUOapOj2XfrmABDJrC2rn/dEAsSO+7jyATqZJhlYWx12tBY8nyda7Q0BdtDuJagXb6JkOx3SKt67atM2BachgHbOFDtwj1CThraKXMGrsDTJVK0lnKzi6tXl/N5l8YEFs60kK/w4hTeAc30htw4QoF1dCpYeBewAyusEnheYJWNqbnUzWz+9wAgao3YadIX9iGzqvL3baAfINdIZRZv6L1LmciZrfhIPnGmyeeweDy8sx12mDlWjKvtp/WIDn8cMLv++DYft6BDolk47BaYjdRvYVeFHQlv3+/kpkxCa4d6RkfWMcAEniPYobYhMsB8B6LgG+8wYTb+8aiCm/9w2KlMYBUyhR2ZZ0I/Yn3utTmGSMKSs1RpkFuaNUxWtbHRkG/I4mcBgFeIUu+tOPSzDHxyuWBY9mPbBOi2Nf4oDJGlqOyq9kfOAyMTDSBEJlXj6XCqMGOEyFJUTlWj61J5ABEmn6oxVcwqlEWILMVjWIdz9RiuZSAhGW3fZymZPy66RGTprpACydZmAH2BJXnrUk9mUoTFMwq+Y1gZo+dkldG1zfniqevIyVzg1/mMMOVpB+ejiwIkakWl9wW4et6uq0tIdKPBhNrp8YApvMsjZgGZA565M5EFslLc+jE9VMH1R0Sp8SLk3pc6LC5OlBovzMWgeESIS0GVghTf7OvohJp9zbd3WFqf1ahSp15ZQkKmj6vritcYd0b1hogVyYQoXHOwRns6F3aSlJLpvY/MDsAKWNm+X85viSg0y9nvvo8vhPAr860FN0I1DqzPs1tLg3DxmEb0xYYq+Akx98niskQCuWixEaghC7PW+OMwsITPmRQJqDAFuRAZS/Z4St7Mjh+o3hVCIBaxNTsjRBZ6SMRE2/knbc+1WJOyyARNCUgpJAnLgzPfWsJU/MTT4qr96tjEAu9z0YK0KU6Cg4l4PAxoEBKgV0ixBETr+DXjd7XfYGaI1YbyIHBJ01YbFdmnD9eVGtOl8xAgzSbuYBTWZCg8rj9J0VHFurCexqXc4IGmVw9lscWKPz3GHuxBIaZiVovkklQfhQrxffGgwh6Yr4bidio870khqLdz8rUEpasGpqE1Ir6WVKq7iZDzJy3RP0oqKdeMAzFECNwXGeWB0tvXUmgK9wlAitW292rlqNhQmyUAJz160/ByOl6i5fhQ5yqC12GjWSZ2kJJXTcM6W1lG9mpJVfWRDYS2H7jgaPdZ4ETwrsk/7CTCQksslFJNbPfxi+pwlOqIlbQf/fAwfElTJpZofd8/mOHJMqjtu4WCJeU7ICEyvoeRZELBRBZxFDTEsD5nmvT07D+lWJfmj8FgXf8rrCTCAbS7DUs2pCL7aNBYzdPqUBAHxhAKfVUk3U3G8T7xGuxclOzjwGBFHNRwgu5Dsk1TyNCWBhJgW0g9B2tTGgeFWAzhPAOpg2sgSI8f5+rNXX2aO9jXBUL7FB/EhlykcwrkY4p2SiyZyUfZNoyr5smUYUu4AilpVmK1Um306h2iNQEsF1N9so5OuzTDktls9qga4A7NTheTyvATGYVFZiMPzItUKkJb9YlJi/YEVKNDYyaMWstLmPQo4SsmEqtfhUMx38Y0Pb+/mlVkAu2KElSZIYUA1pbwLpVxNGgVkwyWmcXyU2CnH6nUuAPxaeJei3VnRGkJfG1Twq1DPaQVi1RKLO4AyWf+4fzy6tOczOfvCdWuq1S4nFdmgCjolRkEpmkZIIh33wAJu/gqoZxjCTCNhv+ODLm5mQc8KAbU5FtyvFZdAQl7LlQisPaoUUj8fVVIfN4iN47K+19Pokb1iE3A4opptkVDNj8QsAbxutdoowFpGEys6ii35xcWZXC+hgKuEfWruVmdR+lWCr5iQflaAk8gOHrNlVJCOuN12ICqey01iT0AaqKM1FN1qcfE9z3QiOppevBlVR717T8ub4mQQbVYFNgskwVaRTc3fpDpwmPBsil+Ob98JBxdFkgdFCocc0MjsHOCgi3gPSLz7ujjODa0AJlKUchkmxpehSzYenYoRVHYf3kEj0FquDYe0ibTPhZlAZIV5td4MC9rbAZpAYZDHAkUT+v86OvuOGKWMnnhsAb4R9yvzLk8LULn7ffn1ft0QtGas3l6tIbq45AyvnYBVVgMugPVEQtj1Vb1RXo22tL1+eyqS24C1u8Yj4friWAGf0R1KrzEC5tvESwBYVXIaUe4Prasp+IPORCfhu62KmfbdB2KRzriFH/QcRgP5ZNchornoDYFlYDVDfyA1Ra76JAaB4Zb6DYokF/JBK9Luq+g/IhYfiUT3AbpXUiBFlMlE9RMHg8ruC26kglmc28PJ7Spt5IJblNvj2dDZeq79YZ19fbAEBN5+sgC83jsSUds69076MEdvZVM8CRADyvMg6Nkgtkt22MJbZRt0KA1yvZYwnpkGyQnOdaPb4+tZILXcdqj+hTUtlApzGM8vwg9w2hH5r+pgroT5xx0mHKiMtouZBkV03x+Tc4DC2UqlU1X8HyijfbSommTmALzQFREFDQdGuNwNEVMaDw41myNCsHVa1fkK0R101Pd2iKIrYGF6pWmaAUL/+effzr78b5anFbZ0Ck8WIfnPM0Z9xXz22Qm0WDVzAgtlaE001gttM9LLaouC5YM0ZKt1xAUl6XK5W+A1a/O20M6JKawYNalu2hl387L5asbSy3Uv1guu2JjVHjnn4dITMHBi3q4FusegQkkqmAJExN3LFboQ00pNPphZ+4DYiJeXZ7Oh2s+Ku9c7XmCWtHn4wYskaoKmS2Qq+sKtIEI8Y5Zjc+mLR2BTpWIgZK+GkWHxCgaxDdYdxqLiFVViVBrkC8JWxEuOLw0X+SVey5gAfVGAkUM4fxydTn3RAJjqPB209Yp85ZJ2AbZJLGYhnsWtQjt864FctvbtNF/7tjet1poLEfPRzM0yW3weSAQH7GAiafxLDliAe+RljQB9JCOJKNq42gF6cFaUp4yrPblt+cfLQWV0TpFNQwTWp00W2raUnD6f/Aq+TmgNaS8ndft5y267BHorMh/Yg0jBFcJScY1QmertyyDw3KVUBXnDomu0iXnkGGdL6e8Oxphu+fgxF+jNpLghcETCVqAAlkBGhiv/4XBKJEclM6i0UnB+XQVispWpy8VSMxOjp94A19VbCu0pWM51dLxaXU9xM7gKIsi27fJjIORmWMZLB1P339aS/UP1xVXCrn6NaCMYQU5NBC1iExhQj1NBzzBZ0gi8qQGnsBLN1WmIJKt45OyzRIDhEqDZrESclpRfxKsQ8+vuqxz4ErpHNXFUgUXeTmuAOl7KS335NPHm4cBbimS2FuV0wmJytnSAq8tyAFIYG8QXF2zq1+GdF+vEC1yaCmjUYF97gDr0HoYHKLXo4st0PPxTZWKwoz8PQ6QDZxBS0j/XGYcJF2yzDAolVDuKQY6y1FjGj6HxjBssepDVVsWopRsmcQykX82Q4fuiPkuls7ogFxdkhclZ19LcNSI7YXPVgxkQJD9VrBigejtsInnRXChwW2BdXpnt82vBSFxKicOnquZgoR8Ljj56BTbQAZUcFzfinWreJu3WbPOGowDk+PFfJ92yD+8DTYob8uMJ1hti9rM+YJqWAcZlw0oNA7QwhSiOxo0iI9qC08gi9yhGdU+f7kOW5Rd9rWkGVo+nsHRJTAFBjVowIAJDhnY7optRvHO75cZ+Xx9fhu0SzukFvZfntbCfke5KDQtCkSn6Pkted+ss35eFFldeidIq95hNdr/4hrtr8WRqwf0bgcF2yKtHNA78gUKcsWZZm7BPtuObw9Du6el3iCWqf3neak3jypSe18ZbjEBfVIQWj/hHi29u8rT++cgZzj8x/8XAAD//xm+hU8=" } diff --git a/x-pack/filebeat/module/fortinet/firewall/_meta/fields.yml b/x-pack/filebeat/module/fortinet/firewall/_meta/fields.yml index 2ac3946889f..d9bdebd7a1e 100644 --- a/x-pack/filebeat/module/fortinet/firewall/_meta/fields.yml +++ b/x-pack/filebeat/module/fortinet/firewall/_meta/fields.yml @@ -1,2154 +1,2164 @@ -- name: firewall +- name: fortinet type: group - release: beta - default_field: false description: > - Module for parsing Fortinet syslog. + Fields from fortinet FortiOS fields: - - name: acct_stat - type: keyword - description: > - Accounting state (RADIUS) - - - name: acktime - type: keyword - description: > - Alarm Acknowledge Time - - - name: act - type: keyword - description: > - Action - - - name: action - type: keyword - description: > - Status of the session - - - name: activity - type: keyword - description: > - HA activity message - - - name: addr - type: ip - description: > - IP Address - - - name: addr_type - type: keyword - description: > - Address Type - - - name: addrgrp - type: keyword - description: > - Address Group - - - name: adgroup - type: keyword - description: > - AD Group Name - - - name: admin - type: keyword - description: > - Admin User - - - name: age - type: integer - description: > - Time in seconds - time passed since last seen - - - name: agent - type: keyword - description: > - User agent - eg. agent="Mozilla/5.0" - - - name: alarmid - type: integer - description: > - Alarm ID - - - name: alert - type: keyword - description: > - Alert - - - name: analyticscksum - type: keyword - description: > - The checksum of the file submitted for analytics - - - name: analyticssubmit - type: keyword - description: > - The flag for analytics submission - - - name: ap - type: keyword - description: > - Access Point - - - name: app-type - type: keyword - description: > - Address Type - - - name: appact - type: keyword - description: > - The security action from app control - - - name: appid - type: integer - description: > - Application ID - - - name: applist - type: keyword - description: > - Application Control profile - - - name: apprisk - type: keyword - description: > - Application Risk Level - - - name: apscan - type: keyword - description: > - The name of the AP, which scanned and detected the rogue AP - - - name: apsn - type: keyword - description: > - Access Point - - - name: apstatus - type: keyword - description: > - Access Point status - - - name: aptype - type: keyword - description: > - Access Point type - - - name: assigned - type: ip - description: > - Assigned IP Address - - - name: assignip - type: ip - description: > - Assigned IP Address - - - name: attachment - type: keyword - description: > - The flag for email attachement - - - name: attack - type: keyword - description: > - Attack Name - - - name: attackcontext - type: keyword - description: > - The trigger patterns and the packetdata with base64 encoding - - - name: attackcontextid - type: keyword - description: > - Attack context id / total - - - name: attackid - type: integer - description: > - Attack ID - - - name: auditid - type: long - description: > - Audit ID - - - name: auditscore - type: keyword - description: > - The Audit Score - - - name: audittime - type: long - description: > - The time of the audit - - - name: authgrp - type: keyword - description: > - Authorization Group - - - name: authid - type: keyword - description: > - Authentication ID - - - name: authproto - type: keyword - description: > - The protocol that initiated the authentication - - - name: authserver - type: keyword - description: > - Authentication server - - - name: bandwidth - type: keyword - description: > - Bandwidth - - - name: banned_rule - type: keyword - description: > - NAC quarantine Banned Rule Name - - - name: banned_src - type: keyword - description: > - NAC quarantine Banned Source IP - - - name: banword - type: keyword - description: > - Banned word - - - name: botnetdomain - type: keyword - description: > - Botnet Domain Name - - - name: botnetip - type: ip - description: > - Botnet IP Address - - - name: bssid - type: keyword - description: > - Service Set ID - - - name: call_id - type: keyword - description: > - Caller ID - - - name: carrier_ep - type: keyword - description: > - The FortiOS Carrier end-point identification - - - name: cat - type: integer - description: > - DNS category ID - - - name: category - type: keyword - description: > - Authentication category - - - name: cc - type: keyword - description: > - CC Email Address - - - name: cdrcontent - type: keyword - description: > - Cdrcontent - - - name: centralnatid - type: integer - description: > - Central NAT ID - - - name: cert - type: keyword - description: > - Certificate - - - name: cert-type - type: keyword - description: > - Certificate type - - - name: certhash - type: keyword - description: > - Certificate hash - - - name: cfgattr - type: keyword - description: > - Configuration attribute - - - name: cfgobj - type: keyword - description: > - Configuration object - - - name: cfgpath - type: keyword - description: > - Configuration path - - - name: cfgtid - type: keyword - description: > - Configuration transaction ID - - - name: cfgtxpower - type: integer - description: > - Configuration TX power - - - name: channel - type: integer - description: > - Wireless Channel - - - name: channeltype - type: keyword - description: > - SSH channel type - - - name: chassisid - type: integer - description: > - Chassis ID - - - name: checksum - type: keyword - description: > - The checksum of the scanned file - - - name: chgheaders - type: keyword - description: > - HTTP Headers - - - name: cldobjid - type: keyword - description: > - Connector object ID - - - name: client_addr - type: keyword - description: > - Wifi client address - - - name: cloudaction - type: keyword - description: > - Cloud Action - - - name: clouduser - type: keyword - description: > - Cloud User - - - name: column - type: integer - description: > - VOIP Column - - - name: command - type: keyword - description: > - CLI Command - - - name: community - type: keyword - description: > - SNMP Community - - - name: configcountry - type: keyword - description: > - Configuration country - - - name: connection_type - type: keyword - description: > - FortiClient Connection Type - - - name: conserve - type: keyword - description: > - Flag for conserve mode - - - name: constraint - type: keyword - description: > - WAF http protocol restrictions - - - name: contentdisarmed - type: keyword - description: > - Email scanned content - - - name: contenttype - type: keyword - description: > - Content Type from HTTP header - - - name: cookies - type: keyword - description: > - VPN Cookie - - - name: count - type: integer - description: > - Counts of action type - - - name: countapp - type: integer - description: > - Number of App Ctrl logs associated with the session - - - name: countav - type: integer - description: > - Number of AV logs associated with the session - - - name: countcifs - type: integer - description: > - Number of CIFS logs associated with the session - - - name: countdlp - type: integer - description: > - Number of DLP logs associated with the session - - - name: countdns - type: integer - description: > - Number of DNS logs associated with the session - - - name: countemail - type: integer - description: > - Number of email logs associated with the session - - - name: countff - type: integer - description: > - Number of ff logs associated with the session - - - name: countips - type: integer - description: > - Number of IPS logs associated with the session - - - name: countssh - type: integer - description: > - Number of SSH logs associated with the session - - - name: countssl - type: integer - description: > - Number of SSL logs associated with the session - - - name: countwaf - type: integer - description: > - Number of WAF logs associated with the session - - - name: countweb - type: integer - description: > - Number of Web filter logs associated with the session - - - name: cpu - type: integer - description: > - CPU Usage - - - name: craction - type: integer - description: > - Client Reputation Action - - - name: criticalcount - type: integer - description: > - Number of critical ratings - - - name: crl - type: keyword - description: > - Client Reputation Level - - - name: crlevel - type: keyword - description: > - Client Reputation Level - - - name: crscore - type: integer - description: > - Some description - - - name: cveid - type: keyword - description: > - CVE ID - - - name: daemon - type: keyword - description: > - Daemon name - - - name: datarange - type: keyword - description: > - Data range for reports - - - name: date - type: keyword - description: > - Date - - - name: ddnsserver - type: ip - description: > - DDNS server - - - name: desc - type: keyword - description: > - Description - - - name: detectionmethod - type: keyword - description: > - Detection method - - - name: devcategory - type: keyword - description: > - Device category - - - name: devintfname - type: keyword - description: > - HA device Interface Name - - - name: devtype - type: keyword - description: > - Device type - - - name: dhcp_msg - type: keyword - description: > - DHCP Message - - - name: dintf - type: keyword - description: > - Destination interface - - - name: disk - type: keyword - description: > - Assosciated disk - - - name: disklograte - type: long - description: > - Disk logging rate - - - name: dlpextra - type: keyword - description: > - DLP extra information - - - name: docsource - type: keyword - description: > - DLP fingerprint document source - - - name: domainctrlauthstate - type: integer - description: > - CIFS domain auth state - - - name: domainctrlauthtype - type: integer - description: > - CIFS domain auth type - - - name: domainctrldomain - type: keyword - description: > - CIFS domain auth domain - - - name: domainctrlip - type: ip - description: > - CIFS Domain IP - - - name: domainctrlname - type: keyword - description: > - CIFS Domain name - - - name: domainctrlprotocoltype - type: integer - description: > - CIFS Domain connection protocol - - - name: domainctrlusername - type: keyword - description: > - CIFS Domain username - - - name: domainfilteridx - type: integer - description: > - Domain filter ID - - - name: domainfilterlist - type: keyword - description: > - Domain filter name - - - name: ds - type: keyword - description: > - Direction with distribution system - - - name: dst_int - type: keyword - description: > - Destination interface - - - name: dstintfrole - type: keyword - description: > - Destination interface role - - - name: dstcountry - type: keyword - description: > - Destination country - - - name: dstdevcategory - type: keyword - description: > - Destination device category - - - name: dstdevtype - type: keyword - description: > - Destination device type - - - name: dstfamily - type: keyword - description: > - Destination OS family - - - name: dsthwvendor - type: keyword - description: > - Destination HW vendor - - - name: dsthwversion - type: keyword - description: > - Destination HW version - - - name: dstinetsvc - type: keyword - description: > - Destination interface service - - - name: dstosname - type: keyword - description: > - Destination OS name - - - name: dstosversion - type: keyword - description: > - Destination OS version - - - name: dstserver - type: integer - description: > - Destination server - - - name: dstssid - type: keyword - description: > - Destination SSID - - - name: dstswversion - type: keyword - description: > - Destination software version - - - name: dstunauthusersource - type: keyword - description: > - Destination unauthenticated source - - - name: dstuuid - type: keyword - description: > - UUID of the Destination IP address - - - name: duid - type: keyword - description: > - DHCP UID - - - name: eapolcnt - type: integer - description: > - EAPOL packet count - - - name: eapoltype - type: keyword - description: > - EAPOL packet type - - - name: encrypt - type: integer - description: > - Whether the packet is encrypted or not - - - name: encryption - type: keyword - description: > - Encryption method - - - name: epoch - type: integer - description: > - Epoch used for locating file - - - name: espauth - type: keyword - description: > - ESP Authentication - - - name: esptransform - type: keyword - description: > - ESP Transform - - - name: exch - type: keyword - description: > - Mail Exchanges from DNS response answer section - - - name: exchange - type: keyword - description: > - Mail Exchanges from DNS response answer section - - - name: expectedsignature - type: keyword - description: > - Expected SSL signature - - - name: expiry - type: keyword - description: > - FortiGuard override expiry timestamp - - - name: fams_pause - type: integer - description: > - Fortinet Analysis and Management Service Pause - - - name: fazlograte - type: long - description: > - FortiAnalyzer Logging Rate - - - name: fctemssn - type: keyword - description: > - FortiClient Endpoint SSN - - - name: fctuid - type: keyword - description: > - FortiClient UID - - - name: field - type: keyword - description: > - NTP status field - - - name: filefilter - type: keyword - description: > - The filter used to identify the affected file - - - name: filehashsrc - type: keyword - description: > - Filehash source - - - name: filtercat - type: keyword - description: > - DLP filter category - - - name: filteridx - type: integer - description: > - DLP filter ID - - - name: filtername - type: keyword - description: > - DLP rule name - - - name: filtertype - type: keyword - description: > - DLP filter type - - - name: fortiguardresp - type: keyword - description: > - Antispam ESP value - - - name: forwardedfor - type: keyword - description: > - Email address forwarded - - - name: fqdn - type: keyword - description: > - FQDN - - - name: frametype - type: keyword - description: > - Wireless frametype - - - name: freediskstorage - type: integer - description: > - Free disk integer - - - name: from - type: keyword - description: > - From email address - - - name: from_vcluster - type: integer - description: > - Source virtual cluster number - - - name: fsaverdict - type: keyword - description: > - FSA verdict - - - name: fwserver_name - type: keyword - description: > - Web proxy server name - - - name: gateway - type: ip - description: > - Gateway ip address for PPPoE status report - - - name: green - type: keyword - description: > - Memory status - - - name: groupid - type: integer - description: > - User Group ID - - - name: ha-prio - type: integer - description: > - HA Priority - - - name: ha_group - type: keyword - description: > - HA Group - - - name: ha_role - type: keyword - description: > - HA Role - - - name: handshake - type: keyword - description: > - SSL Handshake - - - name: hash - type: keyword - description: > - Hash value of downloaded file - - - name: hbdn_reason - type: keyword - description: > - Heartbeat down reason - - - name: highcount - type: integer - description: > - Highcount fabric summary - - - name: host - type: keyword - description: > - Hostname - - - name: iaid - type: keyword - description: > - DHCPv6 id - - - name: icmpcode - type: keyword - description: > - Destination Port of the ICMP message - - - name: icmpid - type: keyword - description: > - Source port of the ICMP message - - - name: icmptype - type: keyword - description: > - The type of ICMP message - - - name: identifier - type: integer - description: > - Network traffic identifier - - - name: in_spi - type: keyword - description: > - IPSEC inbound SPI - - - name: incidentserialno - type: integer - description: > - Incident serial number - - - name: infected - type: integer - description: > - Infected MMS - - - name: infectedfilelevel - type: integer - description: > - DLP infected file level - - - name: informationsource - type: keyword - description: > - Information source - - - name: init - type: keyword - description: > - IPSEC init stage - - - name: initiator - type: keyword - description: > - Original login user name for Fortiguard override - - - name: interface - type: keyword - description: > - Related interface - - - name: intf - type: keyword - description: > - Related interface - - - name: invalidmac - type: keyword - description: > - The MAC address with invalid OUI - - - name: ip - type: ip - description: > - Related IP - - - name: iptype - type: keyword - description: > - Related IP type - - - name: keyword - type: keyword - description: > - Keyword used for search - - - name: kind - type: keyword - description: > - VOIP kind - - - name: lanin - type: long - description: > - LAN incoming traffic in bytes - - - name: lanout - type: long - description: > - LAN outbound traffic in bytes - - - name: lease - type: integer - description: > - DHCP lease - - - name: license_limit - type: keyword - description: > - Maximum Number of FortiClients for the License - - - name: limit - type: integer - description: > - Virtual Domain Resource Limit - - - name: line - type: keyword - description: > - VOIP line - - - name: live - type: integer - description: > - Time in seconds - - - name: local - type: ip - description: > - Local IP for a PPPD Connection - - - name: log - type: keyword - description: > - Log message - - - name: login - type: keyword - description: > - SSH login - - - name: lowcount - type: integer - description: > - Fabric lowcount - - - name: mac - type: keyword - description: > - DHCP mac address - - - name: malform_data - type: integer - description: > - VOIP malformed data - - - name: malform_desc - type: keyword - description: > - VOIP malformed data description - - - name: manuf - type: keyword - description: > - Manufacturer name - - - name: masterdstmac - type: keyword - description: > - Master mac address for a host with multiple network interfaces - - - name: mastersrcmac - type: keyword - description: > - The master MAC address for a host that has multiple network interfaces - - - name: mediumcount - type: integer - description: > - Fabric medium count - - - name: mem - type: keyword - description: > - Memory usage system statistics - - - name: meshmode - type: keyword - description: > - Wireless mesh mode - - - name: message_type - type: keyword - description: > - VOIP message type - - - name: method - type: keyword - description: > - HTTP method - - - name: mgmtcnt - type: integer - description: > - The number of unauthorized client flooding managemet frames - - - name: mode - type: keyword - description: > - IPSEC mode - - - name: module - type: keyword - description: > - PCI-DSS module - - - name: monitor-name - type: keyword - description: > - Health Monitor Name - - - name: monitor-type - type: keyword - description: > - Health Monitor Type - - - name: mpsk - type: keyword - description: > - Wireless MPSK - - - name: msgproto - type: keyword - description: > - Message Protocol Number - - - name: mtu - type: integer - description: > - Max Transmission Unit Value - - - name: name - type: keyword - description: > - Name - - - name: nat - type: keyword - description: > - NAT IP Address - - - name: netid - type: keyword - description: > - Connector NetID - - - name: new_status - type: keyword - description: > - New status on user change - - - name: new_value - type: keyword - description: > - New Virtual Domain Name - - - name: newchannel - type: integer - description: > - New Channel Number - - - name: newchassisid - type: integer - description: > - New Chassis ID - - - name: newslot - type: integer - description: > - New Slot Number - - - name: nextstat - type: integer - description: > - Time interval in seconds for the next statistics. - - - name: nf_type - type: keyword - description: > - Notification Type - - - name: noise - type: integer - description: > - Wifi Noise - - - name: old_status - type: keyword - description: > - Original Status - - - name: old_value - type: keyword - description: > - Original Virtual Domain name - - - name: oldchannel - type: integer - description: > - Original channel - - - name: oldchassisid - type: integer - description: > - Original Chassis Number - - - name: oldslot - type: integer - description: > - Original Slot Number - - - name: oldsn - type: keyword - description: > - Old Serial number - - - name: oldwprof - type: keyword - description: > - Old Web Filter Profile - - - name: onwire - type: keyword - description: > - A flag to indicate if the AP is onwire or not - - - name: opercountry - type: keyword - description: > - Operating Country - - - name: opertxpower - type: integer - description: > - Operating TX power - - - name: osname - type: keyword - description: > - Operating System name - - - name: osversion - type: keyword - description: > - Operating System version - - - name: out_spi - type: keyword - description: > - Out SPI - - - name: outintf - type: keyword - description: > - Out interface - - - name: passedcount - type: integer - description: > - Fabric passed count - - - name: passwd - type: keyword - description: > - Changed user password information - - - name: path - type: keyword - description: > - Path of looped configuration for security fabric - - - name: peer - type: keyword - description: > - WAN optimization peer - - - name: peer_notif - type: keyword - description: > - VPN peer notification - - - name: phase2_name - type: keyword - description: > - VPN phase2 name - - - name: phone - type: keyword - description: > - VOIP Phone - - - name: pid - type: integer - description: > - Process ID - - - name: policytype - type: keyword - description: > - Policy Type - - - name: poolname - type: keyword - description: > - IP Pool name - - - name: port - type: integer - description: > - Log upload error port - - - name: portbegin - type: integer - description: > - IP Pool port number to begin - - - name: portend - type: integer - description: > - IP Pool port number to end - - - name: probeproto - type: keyword - description: > - Link Monitor Probe Protocol - - - name: process - type: keyword - description: > - URL Filter process - - - name: processtime - type: integer - description: > - Process time for reports - - - name: profile - type: keyword - description: > - Profile Name - - - name: profile_vd - type: keyword - description: > - Virtual Domain Name - - - name: profilegroup - type: keyword - description: > - Profile Group Name - - - name: profiletype - type: keyword - description: > - Profile Type - - - name: qtypeval - type: integer - description: > - DNS question type value - - - name: quarskip - type: keyword - description: > - Quarantine skip explanation - - - name: quotaexceeded - type: keyword - description: > - If quota has been exceeded - - - name: quotamax - type: long - description: > - Maximum quota allowed - in seconds if time-based - in bytes if traffic-based - - - name: quotatype - type: keyword - description: > - Quota type - - - name: quotaused - type: long - description: > - Quota used - in seconds if time-based - in bytes if trafficbased) - - - name: radioband - type: keyword - description: > - Radio band - - - name: radioid - type: integer - description: > - Radio ID - - - name: radioidclosest - type: integer - description: > - Radio ID on the AP closest the rogue AP - - - name: radioiddetected - type: integer - description: > - Radio ID on the AP which detected the rogue AP - - - name: rate - type: keyword - description: > - Wireless rogue rate value - - - name: rawdata - type: keyword - description: > - Raw data value - - - name: rawdataid - type: keyword - description: > - Raw data ID - - - name: rcvddelta - type: keyword - description: > - Received bytes delta - - - name: reason - type: keyword - description: > - Alert reason - - - name: received - type: integer - description: > - Server key exchange received - - - name: receivedsignature - type: keyword - description: > - Server key exchange received signature - - - name: red - type: keyword - description: > - Memory information in red - - - name: referralurl - type: keyword - description: > - Web filter referralurl - - - name: remote - type: ip - description: > - Remote PPP IP address - - - name: remotewtptime - type: keyword - description: > - Remote Wifi Radius authentication time - - - name: reporttype - type: keyword - description: > - Report type - - - name: reqtype - type: keyword - description: > - Request type - - - name: request_name - type: keyword - description: > - VOIP request name - - - name: result - type: keyword - description: > - VPN phase result - - - name: role - type: keyword - description: > - VPN Phase 2 role - - - name: rssi - type: integer - description: > - Received signal strength indicator - - - name: rsso_key - type: keyword - description: > - RADIUS SSO attribute value - - - name: ruledata - type: keyword - description: > - Rule data - - - name: ruletype - type: keyword - description: > - Rule type - - - name: scanned - type: integer - description: > - Number of Scanned MMSs - - - name: scantime - type: long - description: > - Scanned time - - - name: scope - type: keyword - description: > - FortiGuard Override Scope - - - name: security - type: keyword - description: > - Wireless rogue security - - - name: sensitivity - type: keyword - description: > - Sensitivity for document fingerprint - - - name: sensor - type: keyword - description: > - NAC Sensor Name - - - name: sentdelta - type: keyword - description: > - Sent bytes delta - - - name: seq - type: keyword - description: > - Sequence number - - - name: serial - type: keyword - description: > - WAN optimisation serial - - - name: serialno - type: keyword - description: > - Serial number - - - name: server - type: keyword - description: > - AD server FQDN or IP - - - name: session_id - type: keyword - description: > - Session ID - - - name: sessionid - type: integer - description: > - WAD Session ID - - - name: setuprate - type: long - description: > - Session Setup Rate - - - name: severity - type: keyword - description: > - Severity - - - name: shaperdroprcvdbyte - type: integer - description: > - Received bytes dropped by shaper - - - name: shaperdropsentbyte - type: integer - description: > - Sent bytes dropped by shaper - - - name: shaperperipdropbyte - type: integer - description: > - Dropped bytes per IP by shaper - - - name: shaperperipname - type: keyword - description: > - Traffic shaper name (per IP) - - - name: shaperrcvdname - type: keyword - description: > - Traffic shaper name for received traffic - - - name: shapersentname - type: keyword - description: > - Traffic shaper name for sent traffic - - - name: shapingpolicyid - type: integer - description: > - Traffic shaper policy ID - - - name: signal - type: integer - description: > - Wireless rogue API signal - - - name: size - type: long - description: > - Email size in bytes - - - name: slot - type: integer - description: > - Slot number - - - name: sn - type: keyword - description: > - Security fabric serial number - - - name: snclosest - type: keyword - description: > - SN of the AP closest to the rogue AP - - - name: sndetected - type: keyword - description: > - SN of the AP which detected the rogue AP - - - name: snmeshparent - type: keyword - description: > - SN of the mesh parent - - - name: spi - type: keyword - description: > - IPSEC SPI - - - name: src_int - type: keyword - description: > - Source interface - - - name: srcintfrole - type: keyword - description: > - Source interface role - - - name: srccountry - type: keyword - description: > - Source country - - - name: srcfamily - type: keyword - description: > - Source family - - - name: srchwvendor - type: keyword - description: > - Source hardware vendor - - - name: srchwversion - type: keyword - description: > - Source hardware version - - - name: srcinetsvc - type: keyword - description: > - Source interface service - - - name: srcname - type: keyword - description: > - Source name - - - name: srcserver - type: integer - description: > - Source server - - - name: srcssid - type: keyword - description: > - Source SSID - - - name: srcswversion - type: keyword - description: > - Source software version - - - name: srcuuid - type: keyword - description: > - Source UUID - - - name: sscname - type: keyword - description: > - SSC name - - - name: ssid - type: keyword - description: > - Base Service Set ID - - - name: sslaction - type: keyword - description: > - SSL Action - - - name: ssllocal - type: keyword - description: > - WAD SSL local - - - name: sslremote - type: keyword - description: > - WAD SSL remote - - - name: stacount - type: integer - description: > - Number of stations/clients - - - name: stage - type: keyword - description: > - IPSEC stage - - - name: stamac - type: keyword - description: > - 802.1x station mac - - - name: state - type: keyword - description: > - Admin login state - - - name: status - type: keyword - description: > - Status - - - name: stitch - type: keyword - description: > - Automation stitch triggered - - - name: subject - type: keyword - description: > - Email subject - - - name: submodule - type: keyword - description: > - Configuration Sub-Module Name - - - name: subservice - type: keyword - description: > - AV subservice - - - name: subtype - type: keyword - description: > - Log subtype - - - name: suspicious - type: integer - description: > - Number of Suspicious MMSs - - - name: switchproto - type: keyword - description: > - Protocol change information - - - name: sync_status - type: keyword - description: > - The sync status with the master - - - name: sync_type - type: keyword - description: > - The sync type with the master - - - name: sysuptime - type: keyword - description: > - System uptime - - - name: tamac - type: keyword - description: > - the MAC address of Transmitter, if none, then Receiver - - - name: threattype - type: keyword - description: > - WIDS threat type - - - name: time - type: keyword - description: > - Time of the event - - - name: to - type: keyword - description: > - Email to field - - - name: to_vcluster - type: integer - description: > - destination virtual cluster number - - - name: total - type: integer - description: > - Total memory - - - name: totalsession - type: integer - description: > - Total Number of Sessions - - - name: trace_id - type: keyword - description: > - Session clash trace ID - - - name: trandisp - type: keyword - description: > - NAT translation type - - - name: transid - type: integer - description: > - HTTP transaction ID - - - name: translationid - type: keyword - description: > - DNS filter transaltion ID - - - name: trigger - type: keyword - description: > - Automation stitch trigger - - - name: trueclntip - type: ip - description: > - File filter true client IP - - - name: tunnelid - type: integer - description: > - IPSEC tunnel ID - - - name: tunnelip - type: ip - description: > - IPSEC tunnel IP - - - name: tunneltype - type: keyword - description: > - IPSEC tunnel type - - - name: type - type: keyword - description: > - Module type - - - name: ui - type: keyword - description: > - Admin authentication UI type - - - name: unauthusersource - type: keyword - description: > - Unauthenticated user source - - - name: unit - type: integer - description: > - Power supply unit - - - name: urlfilteridx - type: integer - description: > - URL filter ID - - - name: urlfilterlist - type: keyword - description: > - URL filter list - - - name: urlsource - type: keyword - description: > - URL filter source - - - name: urltype - type: keyword - description: > - URL filter type - - - name: used - type: integer - description: > - Number of Used IPs - - - name: used_for_type - type: integer - description: > - Connection for the type - - - name: utmaction - type: keyword - description: > - Security action performed by UTM - - - name: vap - type: keyword - description: > - Virtual AP - - - name: vapmode - type: keyword - description: > - Virtual AP mode - - - name: vcluster - type: integer - description: > - virtual cluster id - - - name: vcluster_member - type: integer - description: > - Virtual cluster member - - - name: vcluster_state - type: keyword - description: > - Virtual cluster state - - - name: vd - type: keyword - description: > - Virtual Domain Name - - - name: vdname - type: keyword - description: > - Virtual Domain Name - - - name: vendorurl - type: keyword - description: > - Vulnerability scan vendor name - - - name: version - type: keyword - description: > - Version - - - name: vip - type: keyword - description: > - Virtual IP - - - name: virus - type: keyword - description: > - Virus name - - - name: virusid - type: integer - description: > - Virus ID (unique virus identifier) - - - name: voip_proto - type: keyword - description: > - VOIP protocol - - - name: vpn - type: keyword - description: > - VPN description - - - name: vpntunnel - type: keyword - description: > - IPsec Vpn Tunnel Name - - - name: vpntype - type: keyword - description: > - The type of the VPN tunnel - - - name: vrf - type: integer - description: > - VRF number - - - name: vulncat - type: keyword - description: > - Vulnerability Category - - - name: vulnid - type: integer - description: > - Vulnerability ID - - - name: vulnname - type: keyword - description: > - Vulnerability name - - - name: vwlid - type: integer - description: > - VWL ID - - - name: vwlquality - type: keyword - description: > - VWL quality - - - name: vwlservice - type: keyword - description: > - VWL service - - - name: vwpvlanid - type: integer - description: > - VWP VLAN ID - - - name: wanin - type: long - description: > - WAN incoming traffic in bytes - - - name: wanoptapptype - type: keyword - description: > - WAN Optimization Application type - - - name: wanout - type: long - description: > - WAN outgoing traffic in bytes - - - name: weakwepiv - type: keyword - description: > - Weak Wep Initiation Vector - - - name: xauthgroup - type: keyword - description: > - XAuth Group Name - - - name: xauthuser - type: keyword - description: > - XAuth User Name - - - name: xid - type: integer - description: > - Wireless X ID + - name: file.hash.crc32 + type: keyword + description: > + CRC32 Hash of file + + - name: firewall + type: group + release: beta + default_field: false + description: > + Module for parsing Fortinet syslog. + fields: + - name: acct_stat + type: keyword + description: > + Accounting state (RADIUS) + + - name: acktime + type: keyword + description: > + Alarm Acknowledge Time + + - name: act + type: keyword + description: > + Action + + - name: action + type: keyword + description: > + Status of the session + + - name: activity + type: keyword + description: > + HA activity message + + - name: addr + type: ip + description: > + IP Address + + - name: addr_type + type: keyword + description: > + Address Type + + - name: addrgrp + type: keyword + description: > + Address Group + + - name: adgroup + type: keyword + description: > + AD Group Name + + - name: admin + type: keyword + description: > + Admin User + + - name: age + type: integer + description: > + Time in seconds - time passed since last seen + + - name: agent + type: keyword + description: > + User agent - eg. agent="Mozilla/5.0" + + - name: alarmid + type: integer + description: > + Alarm ID + + - name: alert + type: keyword + description: > + Alert + + - name: analyticscksum + type: keyword + description: > + The checksum of the file submitted for analytics + + - name: analyticssubmit + type: keyword + description: > + The flag for analytics submission + + - name: ap + type: keyword + description: > + Access Point + + - name: app-type + type: keyword + description: > + Address Type + + - name: appact + type: keyword + description: > + The security action from app control + + - name: appid + type: integer + description: > + Application ID + + - name: applist + type: keyword + description: > + Application Control profile + + - name: apprisk + type: keyword + description: > + Application Risk Level + + - name: apscan + type: keyword + description: > + The name of the AP, which scanned and detected the rogue AP + + - name: apsn + type: keyword + description: > + Access Point + + - name: apstatus + type: keyword + description: > + Access Point status + + - name: aptype + type: keyword + description: > + Access Point type + + - name: assigned + type: ip + description: > + Assigned IP Address + + - name: assignip + type: ip + description: > + Assigned IP Address + + - name: attachment + type: keyword + description: > + The flag for email attachement + + - name: attack + type: keyword + description: > + Attack Name + + - name: attackcontext + type: keyword + description: > + The trigger patterns and the packetdata with base64 encoding + + - name: attackcontextid + type: keyword + description: > + Attack context id / total + + - name: attackid + type: integer + description: > + Attack ID + + - name: auditid + type: long + description: > + Audit ID + + - name: auditscore + type: keyword + description: > + The Audit Score + + - name: audittime + type: long + description: > + The time of the audit + + - name: authgrp + type: keyword + description: > + Authorization Group + + - name: authid + type: keyword + description: > + Authentication ID + + - name: authproto + type: keyword + description: > + The protocol that initiated the authentication + + - name: authserver + type: keyword + description: > + Authentication server + + - name: bandwidth + type: keyword + description: > + Bandwidth + + - name: banned_rule + type: keyword + description: > + NAC quarantine Banned Rule Name + + - name: banned_src + type: keyword + description: > + NAC quarantine Banned Source IP + + - name: banword + type: keyword + description: > + Banned word + + - name: botnetdomain + type: keyword + description: > + Botnet Domain Name + + - name: botnetip + type: ip + description: > + Botnet IP Address + + - name: bssid + type: keyword + description: > + Service Set ID + + - name: call_id + type: keyword + description: > + Caller ID + + - name: carrier_ep + type: keyword + description: > + The FortiOS Carrier end-point identification + + - name: cat + type: integer + description: > + DNS category ID + + - name: category + type: keyword + description: > + Authentication category + + - name: cc + type: keyword + description: > + CC Email Address + + - name: cdrcontent + type: keyword + description: > + Cdrcontent + + - name: centralnatid + type: integer + description: > + Central NAT ID + + - name: cert + type: keyword + description: > + Certificate + + - name: cert-type + type: keyword + description: > + Certificate type + + - name: certhash + type: keyword + description: > + Certificate hash + + - name: cfgattr + type: keyword + description: > + Configuration attribute + + - name: cfgobj + type: keyword + description: > + Configuration object + + - name: cfgpath + type: keyword + description: > + Configuration path + + - name: cfgtid + type: keyword + description: > + Configuration transaction ID + + - name: cfgtxpower + type: integer + description: > + Configuration TX power + + - name: channel + type: integer + description: > + Wireless Channel + + - name: channeltype + type: keyword + description: > + SSH channel type + + - name: chassisid + type: integer + description: > + Chassis ID + + - name: checksum + type: keyword + description: > + The checksum of the scanned file + + - name: chgheaders + type: keyword + description: > + HTTP Headers + + - name: cldobjid + type: keyword + description: > + Connector object ID + + - name: client_addr + type: keyword + description: > + Wifi client address + + - name: cloudaction + type: keyword + description: > + Cloud Action + + - name: clouduser + type: keyword + description: > + Cloud User + + - name: column + type: integer + description: > + VOIP Column + + - name: command + type: keyword + description: > + CLI Command + + - name: community + type: keyword + description: > + SNMP Community + + - name: configcountry + type: keyword + description: > + Configuration country + + - name: connection_type + type: keyword + description: > + FortiClient Connection Type + + - name: conserve + type: keyword + description: > + Flag for conserve mode + + - name: constraint + type: keyword + description: > + WAF http protocol restrictions + + - name: contentdisarmed + type: keyword + description: > + Email scanned content + + - name: contenttype + type: keyword + description: > + Content Type from HTTP header + + - name: cookies + type: keyword + description: > + VPN Cookie + + - name: count + type: integer + description: > + Counts of action type + + - name: countapp + type: integer + description: > + Number of App Ctrl logs associated with the session + + - name: countav + type: integer + description: > + Number of AV logs associated with the session + + - name: countcifs + type: integer + description: > + Number of CIFS logs associated with the session + + - name: countdlp + type: integer + description: > + Number of DLP logs associated with the session + + - name: countdns + type: integer + description: > + Number of DNS logs associated with the session + + - name: countemail + type: integer + description: > + Number of email logs associated with the session + + - name: countff + type: integer + description: > + Number of ff logs associated with the session + + - name: countips + type: integer + description: > + Number of IPS logs associated with the session + + - name: countssh + type: integer + description: > + Number of SSH logs associated with the session + + - name: countssl + type: integer + description: > + Number of SSL logs associated with the session + + - name: countwaf + type: integer + description: > + Number of WAF logs associated with the session + + - name: countweb + type: integer + description: > + Number of Web filter logs associated with the session + + - name: cpu + type: integer + description: > + CPU Usage + + - name: craction + type: integer + description: > + Client Reputation Action + + - name: criticalcount + type: integer + description: > + Number of critical ratings + + - name: crl + type: keyword + description: > + Client Reputation Level + + - name: crlevel + type: keyword + description: > + Client Reputation Level + + - name: crscore + type: integer + description: > + Some description + + - name: cveid + type: keyword + description: > + CVE ID + + - name: daemon + type: keyword + description: > + Daemon name + + - name: datarange + type: keyword + description: > + Data range for reports + + - name: date + type: keyword + description: > + Date + + - name: ddnsserver + type: ip + description: > + DDNS server + + - name: desc + type: keyword + description: > + Description + + - name: detectionmethod + type: keyword + description: > + Detection method + + - name: devcategory + type: keyword + description: > + Device category + + - name: devintfname + type: keyword + description: > + HA device Interface Name + + - name: devtype + type: keyword + description: > + Device type + + - name: dhcp_msg + type: keyword + description: > + DHCP Message + + - name: dintf + type: keyword + description: > + Destination interface + + - name: disk + type: keyword + description: > + Assosciated disk + + - name: disklograte + type: long + description: > + Disk logging rate + + - name: dlpextra + type: keyword + description: > + DLP extra information + + - name: docsource + type: keyword + description: > + DLP fingerprint document source + + - name: domainctrlauthstate + type: integer + description: > + CIFS domain auth state + + - name: domainctrlauthtype + type: integer + description: > + CIFS domain auth type + + - name: domainctrldomain + type: keyword + description: > + CIFS domain auth domain + + - name: domainctrlip + type: ip + description: > + CIFS Domain IP + + - name: domainctrlname + type: keyword + description: > + CIFS Domain name + + - name: domainctrlprotocoltype + type: integer + description: > + CIFS Domain connection protocol + + - name: domainctrlusername + type: keyword + description: > + CIFS Domain username + + - name: domainfilteridx + type: integer + description: > + Domain filter ID + + - name: domainfilterlist + type: keyword + description: > + Domain filter name + + - name: ds + type: keyword + description: > + Direction with distribution system + + - name: dst_int + type: keyword + description: > + Destination interface + + - name: dstintfrole + type: keyword + description: > + Destination interface role + + - name: dstcountry + type: keyword + description: > + Destination country + + - name: dstdevcategory + type: keyword + description: > + Destination device category + + - name: dstdevtype + type: keyword + description: > + Destination device type + + - name: dstfamily + type: keyword + description: > + Destination OS family + + - name: dsthwvendor + type: keyword + description: > + Destination HW vendor + + - name: dsthwversion + type: keyword + description: > + Destination HW version + + - name: dstinetsvc + type: keyword + description: > + Destination interface service + + - name: dstosname + type: keyword + description: > + Destination OS name + + - name: dstosversion + type: keyword + description: > + Destination OS version + + - name: dstserver + type: integer + description: > + Destination server + + - name: dstssid + type: keyword + description: > + Destination SSID + + - name: dstswversion + type: keyword + description: > + Destination software version + + - name: dstunauthusersource + type: keyword + description: > + Destination unauthenticated source + + - name: dstuuid + type: keyword + description: > + UUID of the Destination IP address + + - name: duid + type: keyword + description: > + DHCP UID + + - name: eapolcnt + type: integer + description: > + EAPOL packet count + + - name: eapoltype + type: keyword + description: > + EAPOL packet type + + - name: encrypt + type: integer + description: > + Whether the packet is encrypted or not + + - name: encryption + type: keyword + description: > + Encryption method + + - name: epoch + type: integer + description: > + Epoch used for locating file + + - name: espauth + type: keyword + description: > + ESP Authentication + + - name: esptransform + type: keyword + description: > + ESP Transform + + - name: exch + type: keyword + description: > + Mail Exchanges from DNS response answer section + + - name: exchange + type: keyword + description: > + Mail Exchanges from DNS response answer section + + - name: expectedsignature + type: keyword + description: > + Expected SSL signature + + - name: expiry + type: keyword + description: > + FortiGuard override expiry timestamp + + - name: fams_pause + type: integer + description: > + Fortinet Analysis and Management Service Pause + + - name: fazlograte + type: long + description: > + FortiAnalyzer Logging Rate + + - name: fctemssn + type: keyword + description: > + FortiClient Endpoint SSN + + - name: fctuid + type: keyword + description: > + FortiClient UID + + - name: field + type: keyword + description: > + NTP status field + + - name: filefilter + type: keyword + description: > + The filter used to identify the affected file + + - name: filehashsrc + type: keyword + description: > + Filehash source + + - name: filtercat + type: keyword + description: > + DLP filter category + + - name: filteridx + type: integer + description: > + DLP filter ID + + - name: filtername + type: keyword + description: > + DLP rule name + + - name: filtertype + type: keyword + description: > + DLP filter type + + - name: fortiguardresp + type: keyword + description: > + Antispam ESP value + + - name: forwardedfor + type: keyword + description: > + Email address forwarded + + - name: fqdn + type: keyword + description: > + FQDN + + - name: frametype + type: keyword + description: > + Wireless frametype + + - name: freediskstorage + type: integer + description: > + Free disk integer + + - name: from + type: keyword + description: > + From email address + + - name: from_vcluster + type: integer + description: > + Source virtual cluster number + + - name: fsaverdict + type: keyword + description: > + FSA verdict + + - name: fwserver_name + type: keyword + description: > + Web proxy server name + + - name: gateway + type: ip + description: > + Gateway ip address for PPPoE status report + + - name: green + type: keyword + description: > + Memory status + + - name: groupid + type: integer + description: > + User Group ID + + - name: ha-prio + type: integer + description: > + HA Priority + + - name: ha_group + type: keyword + description: > + HA Group + + - name: ha_role + type: keyword + description: > + HA Role + + - name: handshake + type: keyword + description: > + SSL Handshake + + - name: hash + type: keyword + description: > + Hash value of downloaded file + + - name: hbdn_reason + type: keyword + description: > + Heartbeat down reason + + - name: highcount + type: integer + description: > + Highcount fabric summary + + - name: host + type: keyword + description: > + Hostname + + - name: iaid + type: keyword + description: > + DHCPv6 id + + - name: icmpcode + type: keyword + description: > + Destination Port of the ICMP message + + - name: icmpid + type: keyword + description: > + Source port of the ICMP message + + - name: icmptype + type: keyword + description: > + The type of ICMP message + + - name: identifier + type: integer + description: > + Network traffic identifier + + - name: in_spi + type: keyword + description: > + IPSEC inbound SPI + + - name: incidentserialno + type: integer + description: > + Incident serial number + + - name: infected + type: integer + description: > + Infected MMS + + - name: infectedfilelevel + type: integer + description: > + DLP infected file level + + - name: informationsource + type: keyword + description: > + Information source + + - name: init + type: keyword + description: > + IPSEC init stage + + - name: initiator + type: keyword + description: > + Original login user name for Fortiguard override + + - name: interface + type: keyword + description: > + Related interface + + - name: intf + type: keyword + description: > + Related interface + + - name: invalidmac + type: keyword + description: > + The MAC address with invalid OUI + + - name: ip + type: ip + description: > + Related IP + + - name: iptype + type: keyword + description: > + Related IP type + + - name: keyword + type: keyword + description: > + Keyword used for search + + - name: kind + type: keyword + description: > + VOIP kind + + - name: lanin + type: long + description: > + LAN incoming traffic in bytes + + - name: lanout + type: long + description: > + LAN outbound traffic in bytes + + - name: lease + type: integer + description: > + DHCP lease + + - name: license_limit + type: keyword + description: > + Maximum Number of FortiClients for the License + + - name: limit + type: integer + description: > + Virtual Domain Resource Limit + + - name: line + type: keyword + description: > + VOIP line + + - name: live + type: integer + description: > + Time in seconds + + - name: local + type: ip + description: > + Local IP for a PPPD Connection + + - name: log + type: keyword + description: > + Log message + + - name: login + type: keyword + description: > + SSH login + + - name: lowcount + type: integer + description: > + Fabric lowcount + + - name: mac + type: keyword + description: > + DHCP mac address + + - name: malform_data + type: integer + description: > + VOIP malformed data + + - name: malform_desc + type: keyword + description: > + VOIP malformed data description + + - name: manuf + type: keyword + description: > + Manufacturer name + + - name: masterdstmac + type: keyword + description: > + Master mac address for a host with multiple network interfaces + + - name: mastersrcmac + type: keyword + description: > + The master MAC address for a host that has multiple network interfaces + + - name: mediumcount + type: integer + description: > + Fabric medium count + + - name: mem + type: keyword + description: > + Memory usage system statistics + + - name: meshmode + type: keyword + description: > + Wireless mesh mode + + - name: message_type + type: keyword + description: > + VOIP message type + + - name: method + type: keyword + description: > + HTTP method + + - name: mgmtcnt + type: integer + description: > + The number of unauthorized client flooding managemet frames + + - name: mode + type: keyword + description: > + IPSEC mode + + - name: module + type: keyword + description: > + PCI-DSS module + + - name: monitor-name + type: keyword + description: > + Health Monitor Name + + - name: monitor-type + type: keyword + description: > + Health Monitor Type + + - name: mpsk + type: keyword + description: > + Wireless MPSK + + - name: msgproto + type: keyword + description: > + Message Protocol Number + + - name: mtu + type: integer + description: > + Max Transmission Unit Value + + - name: name + type: keyword + description: > + Name + + - name: nat + type: keyword + description: > + NAT IP Address + + - name: netid + type: keyword + description: > + Connector NetID + + - name: new_status + type: keyword + description: > + New status on user change + + - name: new_value + type: keyword + description: > + New Virtual Domain Name + + - name: newchannel + type: integer + description: > + New Channel Number + + - name: newchassisid + type: integer + description: > + New Chassis ID + + - name: newslot + type: integer + description: > + New Slot Number + + - name: nextstat + type: integer + description: > + Time interval in seconds for the next statistics. + + - name: nf_type + type: keyword + description: > + Notification Type + + - name: noise + type: integer + description: > + Wifi Noise + + - name: old_status + type: keyword + description: > + Original Status + + - name: old_value + type: keyword + description: > + Original Virtual Domain name + + - name: oldchannel + type: integer + description: > + Original channel + + - name: oldchassisid + type: integer + description: > + Original Chassis Number + + - name: oldslot + type: integer + description: > + Original Slot Number + + - name: oldsn + type: keyword + description: > + Old Serial number + + - name: oldwprof + type: keyword + description: > + Old Web Filter Profile + + - name: onwire + type: keyword + description: > + A flag to indicate if the AP is onwire or not + + - name: opercountry + type: keyword + description: > + Operating Country + + - name: opertxpower + type: integer + description: > + Operating TX power + + - name: osname + type: keyword + description: > + Operating System name + + - name: osversion + type: keyword + description: > + Operating System version + + - name: out_spi + type: keyword + description: > + Out SPI + + - name: outintf + type: keyword + description: > + Out interface + + - name: passedcount + type: integer + description: > + Fabric passed count + + - name: passwd + type: keyword + description: > + Changed user password information + + - name: path + type: keyword + description: > + Path of looped configuration for security fabric + + - name: peer + type: keyword + description: > + WAN optimization peer + + - name: peer_notif + type: keyword + description: > + VPN peer notification + + - name: phase2_name + type: keyword + description: > + VPN phase2 name + + - name: phone + type: keyword + description: > + VOIP Phone + + - name: pid + type: integer + description: > + Process ID + + - name: policytype + type: keyword + description: > + Policy Type + + - name: poolname + type: keyword + description: > + IP Pool name + + - name: port + type: integer + description: > + Log upload error port + + - name: portbegin + type: integer + description: > + IP Pool port number to begin + + - name: portend + type: integer + description: > + IP Pool port number to end + + - name: probeproto + type: keyword + description: > + Link Monitor Probe Protocol + + - name: process + type: keyword + description: > + URL Filter process + + - name: processtime + type: integer + description: > + Process time for reports + + - name: profile + type: keyword + description: > + Profile Name + + - name: profile_vd + type: keyword + description: > + Virtual Domain Name + + - name: profilegroup + type: keyword + description: > + Profile Group Name + + - name: profiletype + type: keyword + description: > + Profile Type + + - name: qtypeval + type: integer + description: > + DNS question type value + + - name: quarskip + type: keyword + description: > + Quarantine skip explanation + + - name: quotaexceeded + type: keyword + description: > + If quota has been exceeded + + - name: quotamax + type: long + description: > + Maximum quota allowed - in seconds if time-based - in bytes if traffic-based + + - name: quotatype + type: keyword + description: > + Quota type + + - name: quotaused + type: long + description: > + Quota used - in seconds if time-based - in bytes if trafficbased) + + - name: radioband + type: keyword + description: > + Radio band + + - name: radioid + type: integer + description: > + Radio ID + + - name: radioidclosest + type: integer + description: > + Radio ID on the AP closest the rogue AP + + - name: radioiddetected + type: integer + description: > + Radio ID on the AP which detected the rogue AP + + - name: rate + type: keyword + description: > + Wireless rogue rate value + + - name: rawdata + type: keyword + description: > + Raw data value + + - name: rawdataid + type: keyword + description: > + Raw data ID + + - name: rcvddelta + type: keyword + description: > + Received bytes delta + + - name: reason + type: keyword + description: > + Alert reason + + - name: received + type: integer + description: > + Server key exchange received + + - name: receivedsignature + type: keyword + description: > + Server key exchange received signature + + - name: red + type: keyword + description: > + Memory information in red + + - name: referralurl + type: keyword + description: > + Web filter referralurl + + - name: remote + type: ip + description: > + Remote PPP IP address + + - name: remotewtptime + type: keyword + description: > + Remote Wifi Radius authentication time + + - name: reporttype + type: keyword + description: > + Report type + + - name: reqtype + type: keyword + description: > + Request type + + - name: request_name + type: keyword + description: > + VOIP request name + + - name: result + type: keyword + description: > + VPN phase result + + - name: role + type: keyword + description: > + VPN Phase 2 role + + - name: rssi + type: integer + description: > + Received signal strength indicator + + - name: rsso_key + type: keyword + description: > + RADIUS SSO attribute value + + - name: ruledata + type: keyword + description: > + Rule data + + - name: ruletype + type: keyword + description: > + Rule type + + - name: scanned + type: integer + description: > + Number of Scanned MMSs + + - name: scantime + type: long + description: > + Scanned time + + - name: scope + type: keyword + description: > + FortiGuard Override Scope + + - name: security + type: keyword + description: > + Wireless rogue security + + - name: sensitivity + type: keyword + description: > + Sensitivity for document fingerprint + + - name: sensor + type: keyword + description: > + NAC Sensor Name + + - name: sentdelta + type: keyword + description: > + Sent bytes delta + + - name: seq + type: keyword + description: > + Sequence number + + - name: serial + type: keyword + description: > + WAN optimisation serial + + - name: serialno + type: keyword + description: > + Serial number + + - name: server + type: keyword + description: > + AD server FQDN or IP + + - name: session_id + type: keyword + description: > + Session ID + + - name: sessionid + type: integer + description: > + WAD Session ID + + - name: setuprate + type: long + description: > + Session Setup Rate + + - name: severity + type: keyword + description: > + Severity + + - name: shaperdroprcvdbyte + type: integer + description: > + Received bytes dropped by shaper + + - name: shaperdropsentbyte + type: integer + description: > + Sent bytes dropped by shaper + + - name: shaperperipdropbyte + type: integer + description: > + Dropped bytes per IP by shaper + + - name: shaperperipname + type: keyword + description: > + Traffic shaper name (per IP) + + - name: shaperrcvdname + type: keyword + description: > + Traffic shaper name for received traffic + + - name: shapersentname + type: keyword + description: > + Traffic shaper name for sent traffic + + - name: shapingpolicyid + type: integer + description: > + Traffic shaper policy ID + + - name: signal + type: integer + description: > + Wireless rogue API signal + + - name: size + type: long + description: > + Email size in bytes + + - name: slot + type: integer + description: > + Slot number + + - name: sn + type: keyword + description: > + Security fabric serial number + + - name: snclosest + type: keyword + description: > + SN of the AP closest to the rogue AP + + - name: sndetected + type: keyword + description: > + SN of the AP which detected the rogue AP + + - name: snmeshparent + type: keyword + description: > + SN of the mesh parent + + - name: spi + type: keyword + description: > + IPSEC SPI + + - name: src_int + type: keyword + description: > + Source interface + + - name: srcintfrole + type: keyword + description: > + Source interface role + + - name: srccountry + type: keyword + description: > + Source country + + - name: srcfamily + type: keyword + description: > + Source family + + - name: srchwvendor + type: keyword + description: > + Source hardware vendor + + - name: srchwversion + type: keyword + description: > + Source hardware version + + - name: srcinetsvc + type: keyword + description: > + Source interface service + + - name: srcname + type: keyword + description: > + Source name + + - name: srcserver + type: integer + description: > + Source server + + - name: srcssid + type: keyword + description: > + Source SSID + + - name: srcswversion + type: keyword + description: > + Source software version + + - name: srcuuid + type: keyword + description: > + Source UUID + + - name: sscname + type: keyword + description: > + SSC name + + - name: ssid + type: keyword + description: > + Base Service Set ID + + - name: sslaction + type: keyword + description: > + SSL Action + + - name: ssllocal + type: keyword + description: > + WAD SSL local + + - name: sslremote + type: keyword + description: > + WAD SSL remote + + - name: stacount + type: integer + description: > + Number of stations/clients + + - name: stage + type: keyword + description: > + IPSEC stage + + - name: stamac + type: keyword + description: > + 802.1x station mac + + - name: state + type: keyword + description: > + Admin login state + + - name: status + type: keyword + description: > + Status + + - name: stitch + type: keyword + description: > + Automation stitch triggered + + - name: subject + type: keyword + description: > + Email subject + + - name: submodule + type: keyword + description: > + Configuration Sub-Module Name + + - name: subservice + type: keyword + description: > + AV subservice + + - name: subtype + type: keyword + description: > + Log subtype + + - name: suspicious + type: integer + description: > + Number of Suspicious MMSs + + - name: switchproto + type: keyword + description: > + Protocol change information + + - name: sync_status + type: keyword + description: > + The sync status with the master + + - name: sync_type + type: keyword + description: > + The sync type with the master + + - name: sysuptime + type: keyword + description: > + System uptime + + - name: tamac + type: keyword + description: > + the MAC address of Transmitter, if none, then Receiver + + - name: threattype + type: keyword + description: > + WIDS threat type + + - name: time + type: keyword + description: > + Time of the event + + - name: to + type: keyword + description: > + Email to field + + - name: to_vcluster + type: integer + description: > + destination virtual cluster number + + - name: total + type: integer + description: > + Total memory + + - name: totalsession + type: integer + description: > + Total Number of Sessions + + - name: trace_id + type: keyword + description: > + Session clash trace ID + + - name: trandisp + type: keyword + description: > + NAT translation type + + - name: transid + type: integer + description: > + HTTP transaction ID + + - name: translationid + type: keyword + description: > + DNS filter transaltion ID + + - name: trigger + type: keyword + description: > + Automation stitch trigger + + - name: trueclntip + type: ip + description: > + File filter true client IP + + - name: tunnelid + type: integer + description: > + IPSEC tunnel ID + + - name: tunnelip + type: ip + description: > + IPSEC tunnel IP + + - name: tunneltype + type: keyword + description: > + IPSEC tunnel type + + - name: type + type: keyword + description: > + Module type + + - name: ui + type: keyword + description: > + Admin authentication UI type + + - name: unauthusersource + type: keyword + description: > + Unauthenticated user source + + - name: unit + type: integer + description: > + Power supply unit + + - name: urlfilteridx + type: integer + description: > + URL filter ID + + - name: urlfilterlist + type: keyword + description: > + URL filter list + + - name: urlsource + type: keyword + description: > + URL filter source + + - name: urltype + type: keyword + description: > + URL filter type + + - name: used + type: integer + description: > + Number of Used IPs + + - name: used_for_type + type: integer + description: > + Connection for the type + + - name: utmaction + type: keyword + description: > + Security action performed by UTM + + - name: vap + type: keyword + description: > + Virtual AP + + - name: vapmode + type: keyword + description: > + Virtual AP mode + + - name: vcluster + type: integer + description: > + virtual cluster id + + - name: vcluster_member + type: integer + description: > + Virtual cluster member + + - name: vcluster_state + type: keyword + description: > + Virtual cluster state + + - name: vd + type: keyword + description: > + Virtual Domain Name + + - name: vdname + type: keyword + description: > + Virtual Domain Name + + - name: vendorurl + type: keyword + description: > + Vulnerability scan vendor name + + - name: version + type: keyword + description: > + Version + + - name: vip + type: keyword + description: > + Virtual IP + + - name: virus + type: keyword + description: > + Virus name + + - name: virusid + type: integer + description: > + Virus ID (unique virus identifier) + + - name: voip_proto + type: keyword + description: > + VOIP protocol + + - name: vpn + type: keyword + description: > + VPN description + + - name: vpntunnel + type: keyword + description: > + IPsec Vpn Tunnel Name + + - name: vpntype + type: keyword + description: > + The type of the VPN tunnel + + - name: vrf + type: integer + description: > + VRF number + + - name: vulncat + type: keyword + description: > + Vulnerability Category + + - name: vulnid + type: integer + description: > + Vulnerability ID + + - name: vulnname + type: keyword + description: > + Vulnerability name + + - name: vwlid + type: integer + description: > + VWL ID + + - name: vwlquality + type: keyword + description: > + VWL quality + + - name: vwlservice + type: keyword + description: > + VWL service + + - name: vwpvlanid + type: integer + description: > + VWP VLAN ID + + - name: wanin + type: long + description: > + WAN incoming traffic in bytes + + - name: wanoptapptype + type: keyword + description: > + WAN Optimization Application type + + - name: wanout + type: long + description: > + WAN outgoing traffic in bytes + + - name: weakwepiv + type: keyword + description: > + Weak Wep Initiation Vector + + - name: xauthgroup + type: keyword + description: > + XAuth Group Name + + - name: xauthuser + type: keyword + description: > + XAuth User Name + + - name: xid + type: integer + description: > + Wireless X ID diff --git a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json index 18754e2db95..8e5b00aeef8 100644 --- a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json @@ -79,7 +79,7 @@ "forwarded" ], "user.email": "xxx@xxx.xxx", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", "user_agent.os.full": "Mac OS X 10.15", @@ -136,7 +136,7 @@ "forwarded" ], "user.email": "xxx@xxx.xxx", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", "user_agent.os.full": "Mac OS X 10.15", @@ -188,7 +188,7 @@ "forwarded" ], "user.email": "xxx@xxx.xxx", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", "user_agent.os.full": "Mac OS X 10.15", diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index 4ab905ff64f..555b06cb1da 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -20,13 +20,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.81.122.126", - "10.70.155.35" + "10.70.155.35", + "10.81.122.126" ], "related.user": [ "magn", - "aqui", - "tatno" + "tatno", + "aqui" ], "rsa.counters.dclass_c1": 5910, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -106,13 +106,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.58.116.231", - "10.159.182.171" + "10.159.182.171", + "10.58.116.231" ], "related.user": [ "qua", - "temUten", - "uradi" + "uradi", + "temUten" ], "rsa.counters.dclass_c1": 3626, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -161,13 +161,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.232.27.250", - "10.18.124.28" + "10.18.124.28", + "10.232.27.250" ], "related.user": [ - "mquidol", + "lapariat", "modocons", - "lapariat" + "mquidol" ], "rsa.counters.dclass_c1": 6564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -227,8 +227,8 @@ ], "related.user": [ "oluptas", - "occae", - "intoc" + "intoc", + "occae" ], "rsa.counters.event_counter": 7243, "rsa.db.database": "tNequepo", @@ -352,12 +352,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.129.149.43", - "10.211.105.204" + "10.211.105.204", + "10.129.149.43" ], "related.user": [ - "labor", "orema", + "labor", "eveli" ], "rsa.counters.dclass_c1": 6855, @@ -415,9 +415,9 @@ "10.112.250.193" ], "related.user": [ - "ipsumdol", "ide", - "Exc" + "Exc", + "ipsumdol" ], "rsa.counters.dclass_c1": 6852, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -469,13 +469,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.192.34.76", - "10.251.20.13" + "10.251.20.13", + "10.192.34.76" ], "related.user": [ - "iquipe", + "ovol", "tnonpro", - "ovol" + "iquipe" ], "rsa.counters.dclass_c1": 3645, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -528,9 +528,9 @@ "10.59.138.212" ], "related.user": [ - "archite", + "boree", "idunt", - "boree" + "archite" ], "rsa.counters.dclass_c1": 248, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -583,13 +583,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.168.159.13", - "10.230.173.4" + "10.230.173.4", + "10.168.159.13" ], "related.user": [ - "isnostr", + "atemq", "inci", - "atemq" + "isnostr" ], "rsa.counters.dclass_c1": 6135, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -646,9 +646,9 @@ "10.49.167.57" ], "related.user": [ - "ccaeca", + "tali", "sau", - "tali" + "ccaeca" ], "rsa.counters.dclass_c1": 6818, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -708,16 +708,16 @@ ], "related.user": [ "lorsita", - "llamco", - "dolore" + "dolore", + "llamco" ], "rsa.counters.event_counter": 4603, "rsa.db.database": "uptate", "rsa.internal.event_desc": "aquae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "accept", - "quasia" + "quasia", + "accept" ], "rsa.misc.category": "boreetdo", "rsa.misc.disposition": "aturve", @@ -774,9 +774,9 @@ "10.204.128.215" ], "related.user": [ - "paquioff", "nci", - "rum" + "rum", + "paquioff" ], "rsa.counters.event_counter": 332, "rsa.db.database": "isau", @@ -833,13 +833,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.200.68.129", - "10.34.148.166" + "10.34.148.166", + "10.200.68.129" ], "related.user": [ - "miu", "icabo", - "untutlab" + "untutlab", + "miu" ], "rsa.counters.dclass_c1": 5427, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -893,8 +893,8 @@ ], "related.user": [ "siu", - "conse", - "licabo" + "licabo", + "conse" ], "rsa.counters.dclass_c1": 6356, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -952,8 +952,8 @@ ], "related.user": [ "dipisci", - "olori", - "velite" + "velite", + "olori" ], "rsa.counters.dclass_c1": 7717, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1006,13 +1006,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.233.120.207", - "10.190.10.219" + "10.190.10.219", + "10.233.120.207" ], "related.user": [ "item", - "accusant", - "quamnih" + "quamnih", + "accusant" ], "rsa.counters.dclass_c1": 3278, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1093,13 +1093,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.248.184.200", - "10.100.98.56" + "10.100.98.56", + "10.248.184.200" ], "related.user": [ - "proident", + "boru", "ritati", - "boru" + "proident" ], "rsa.counters.dclass_c1": 5923, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1152,13 +1152,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.197.6.245", - "10.82.28.220" + "10.82.28.220", + "10.197.6.245" ], "related.user": [ "aecatcup", - "oluptat", - "dtempo" + "dtempo", + "oluptat" ], "rsa.counters.dclass_c1": 3071, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1211,8 +1211,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.167.252.183", - "10.6.27.103" + "10.6.27.103", + "10.167.252.183" ], "related.user": [ "redol", @@ -1276,8 +1276,8 @@ "10.88.45.111" ], "related.user": [ - "iameaque", "undeomni", + "iameaque", "lmole" ], "rsa.counters.event_counter": 6344, @@ -1341,9 +1341,9 @@ "10.29.119.245" ], "related.user": [ - "scipitl", "taliqui", - "edolorin" + "edolorin", + "scipitl" ], "rsa.counters.dclass_c1": 5140, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1411,8 +1411,8 @@ "rsa.internal.event_desc": "liquid", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "vitaed", - "allow" + "allow", + "vitaed" ], "rsa.misc.category": "enim", "rsa.misc.disposition": "Finibus", @@ -1463,13 +1463,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.105.190.170", - "10.182.152.242" + "10.182.152.242", + "10.105.190.170" ], "related.user": [ - "litan", "mquisn", - "doeiu" + "doeiu", + "litan" ], "rsa.counters.dclass_c1": 3474, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1528,9 +1528,9 @@ "10.123.166.197" ], "related.user": [ - "liquam", "emUte", - "min" + "min", + "liquam" ], "rsa.counters.event_counter": 7102, "rsa.db.database": "oluptat", @@ -1588,13 +1588,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.201.168.116", - "10.72.75.207" + "10.72.75.207", + "10.201.168.116" ], "related.user": [ - "urau", "eufug", - "eFini" + "eFini", + "urau" ], "rsa.counters.dclass_c1": 3348, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1651,8 +1651,8 @@ "10.58.133.175" ], "related.user": [ - "nde", "mfu", + "nde", "oco" ], "rsa.counters.dclass_c1": 3795, @@ -1706,13 +1706,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.70.29.203", - "10.169.50.59" + "10.169.50.59", + "10.70.29.203" ], "related.user": [ - "pta", "veniamq", - "mquisnos" + "mquisnos", + "pta" ], "rsa.counters.dclass_c1": 2358, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1765,13 +1765,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.137.85.123", - "10.165.182.111" + "10.165.182.111", + "10.137.85.123" ], "related.user": [ - "ames", + "Bonorum", "sis", - "Bonorum" + "ames" ], "rsa.counters.dclass_c1": 6401, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1854,13 +1854,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.173.178.109", - "10.64.184.196" + "10.64.184.196", + "10.173.178.109" ], "related.user": [ "uian", - "tam", - "nesci" + "nesci", + "tam" ], "rsa.counters.event_counter": 4493, "rsa.db.database": "sin", @@ -1923,8 +1923,8 @@ "10.90.50.149" ], "related.user": [ - "aUtenima", "olupta", + "aUtenima", "olu" ], "rsa.counters.dclass_c1": 1127, @@ -1982,9 +1982,9 @@ "10.18.150.82" ], "related.user": [ + "luptat", "mtota", - "qua", - "luptat" + "qua" ], "rsa.counters.dclass_c1": 6112, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2068,9 +2068,9 @@ "10.151.240.35" ], "related.user": [ - "lam", + "ama", "ametcons", - "ama" + "lam" ], "rsa.counters.dclass_c1": 4325, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2124,8 +2124,8 @@ ], "related.user": [ "quisn", - "ese", - "quasi" + "quasi", + "ese" ], "rsa.counters.dclass_c1": 3970, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2180,21 +2180,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.213.165.165", - "10.254.10.98" + "10.254.10.98", + "10.213.165.165" ], "related.user": [ - "ttenb", + "eufugia", "civeli", - "eufugia" + "ttenb" ], "rsa.counters.event_counter": 7365, "rsa.db.database": "utlabore", "rsa.internal.event_desc": "culpaq", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "uptasn" + "uptasn", + "cancel" ], "rsa.misc.category": "quamq", "rsa.misc.disposition": "usan", @@ -2340,13 +2340,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.45.69.152", - "10.29.138.31" + "10.29.138.31", + "10.45.69.152" ], "related.user": [ "volupta", - "umq", - "tsunt" + "tsunt", + "umq" ], "rsa.counters.dclass_c1": 744, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2403,9 +2403,9 @@ "10.152.213.228" ], "related.user": [ + "itationu", "ptatev", - "velillum", - "itationu" + "velillum" ], "rsa.counters.dclass_c1": 7245, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2486,13 +2486,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.208.33.55", - "10.248.102.129" + "10.248.102.129", + "10.208.33.55" ], "related.user": [ - "ulapari", + "mremaper", "inimv", - "mremaper" + "ulapari" ], "rsa.counters.dclass_c1": 6433, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2545,13 +2545,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.203.164.132", - "10.109.230.216" + "10.109.230.216", + "10.203.164.132" ], "related.user": [ - "ectobea", "ibus", - "mporin" + "mporin", + "ectobea" ], "rsa.counters.dclass_c1": 547, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2604,8 +2604,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.117.81.75", - "10.151.203.60" + "10.151.203.60", + "10.117.81.75" ], "related.user": [ "iconsequ", @@ -2663,13 +2663,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.224.217.153", - "10.45.152.205" + "10.45.152.205", + "10.224.217.153" ], "related.user": [ - "utlabo", "eriti", - "imav" + "imav", + "utlabo" ], "rsa.counters.dclass_c1": 922, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2723,21 +2723,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.60.164.100", - "10.1.193.187" + "10.1.193.187", + "10.60.164.100" ], "related.user": [ - "adipis", + "hite", "ugi", - "hite" + "adipis" ], "rsa.counters.event_counter": 508, "rsa.db.database": "abo", "rsa.internal.event_desc": "epteurs", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "allow", - "taevitae" + "taevitae", + "allow" ], "rsa.misc.category": "itse", "rsa.misc.disposition": "rever", @@ -2791,9 +2791,9 @@ "10.248.244.203" ], "related.user": [ + "sum", "mquamei", - "eiusm", - "sum" + "eiusm" ], "rsa.counters.dclass_c1": 3058, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2846,9 +2846,9 @@ "10.86.121.152" ], "related.user": [ - "nimv", "ine", - "consecte" + "consecte", + "nimv" ], "rsa.counters.dclass_c1": 2771, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2901,13 +2901,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.204.223.184", - "10.201.223.119" + "10.201.223.119", + "10.204.223.184" ], "related.user": [ - "rcit", "teni", - "tuserror" + "tuserror", + "rcit" ], "rsa.counters.dclass_c1": 4113, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2964,8 +2964,8 @@ "10.200.12.126" ], "related.user": [ - "Nequepo", "elitsedd", + "Nequepo", "magnido" ], "rsa.counters.dclass_c1": 3243, @@ -3021,13 +3021,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.94.89.177", - "10.65.225.101" + "10.65.225.101", + "10.94.89.177" ], "related.user": [ "citation", - "tuserror", - "emquel" + "emquel", + "tuserror" ], "rsa.counters.event_counter": 2513, "rsa.db.database": "rspiciat", @@ -3090,8 +3090,8 @@ ], "related.user": [ "tione", - "iin", - "uta" + "uta", + "iin" ], "rsa.counters.dclass_c1": 5836, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3146,17 +3146,17 @@ "10.41.181.179" ], "related.user": [ + "iosamn", "equepor", - "niam", - "iosamn" + "niam" ], "rsa.counters.event_counter": 7468, "rsa.db.database": "erspicia", "rsa.internal.event_desc": "ibusB", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "rumwr", - "deny" + "deny", + "rumwr" ], "rsa.misc.category": "rporis", "rsa.misc.disposition": "etco", @@ -3211,9 +3211,9 @@ "10.21.208.103" ], "related.user": [ - "ostr", "imidest", - "mipsa" + "mipsa", + "ostr" ], "rsa.counters.dclass_c1": 7766, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3270,9 +3270,9 @@ "10.23.6.216" ], "related.user": [ - "iarchit", "tevelite", - "iamquisn" + "iamquisn", + "iarchit" ], "rsa.counters.dclass_c1": 639, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3332,16 +3332,16 @@ ], "related.user": [ "modtempo", - "nofde", - "animide" + "animide", + "nofde" ], "rsa.counters.event_counter": 7580, "rsa.db.database": "Lore", "rsa.internal.event_desc": "nto", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "ali", - "cancel" + "cancel", + "ali" ], "rsa.misc.category": "sciv", "rsa.misc.disposition": "tlabo", @@ -3397,9 +3397,9 @@ "10.178.79.217" ], "related.user": [ - "ccusan", "inibusBo", - "tqui" + "tqui", + "ccusan" ], "rsa.counters.event_counter": 3538, "rsa.db.database": "sequun", @@ -3461,8 +3461,8 @@ "10.77.86.215" ], "related.user": [ - "meaqu", "rcit", + "meaqu", "xerc" ], "rsa.counters.dclass_c1": 7286, @@ -3515,12 +3515,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.186.133.184", - "10.211.161.187" + "10.211.161.187", + "10.186.133.184" ], "related.user": [ - "sci", "boriosa", + "sci", "acons" ], "rsa.counters.dclass_c1": 1578, @@ -3569,8 +3569,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.254.198.47", - "10.160.147.230" + "10.160.147.230", + "10.254.198.47" ], "related.user": [ "illoin", @@ -3624,8 +3624,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.182.197.243", - "10.40.24.93" + "10.40.24.93", + "10.182.197.243" ], "related.user": [ "orisnis", @@ -3683,12 +3683,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.249.13.159", - "10.108.130.106" + "10.108.130.106", + "10.249.13.159" ], "related.user": [ - "colab", "uisautei", + "colab", "exeacomm" ], "rsa.counters.dclass_c1": 1044, @@ -3744,12 +3744,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.39.244.49", - "10.64.94.174" + "10.64.94.174", + "10.39.244.49" ], "related.user": [ - "iunt", "Sedut", + "iunt", "estiae" ], "rsa.counters.event_counter": 7128, @@ -3757,8 +3757,8 @@ "rsa.internal.event_desc": "enimips", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "gna" + "gna", + "cancel" ], "rsa.misc.category": "Nequepor", "rsa.misc.disposition": "nisiu", @@ -3923,8 +3923,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.43.244.252", - "10.251.212.166" + "10.251.212.166", + "10.43.244.252" ], "related.user": [ "uptat", @@ -4015,8 +4015,8 @@ ], "related.user": [ "mqu", - "uatDuisa", - "tesseq" + "tesseq", + "uatDuisa" ], "rsa.counters.dclass_c1": 1623, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4102,8 +4102,8 @@ ], "related.user": [ "volu", - "ineavol", - "rehe" + "rehe", + "ineavol" ], "rsa.counters.dclass_c1": 3064, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4209,12 +4209,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.57.169.205", - "10.172.121.239" + "10.172.121.239", + "10.57.169.205" ], "related.user": [ - "iuta", "ctas", + "iuta", "ipsu" ], "rsa.counters.dclass_c1": 392, @@ -4268,13 +4268,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.129.234.200", - "10.42.218.103" + "10.42.218.103", + "10.129.234.200" ], "related.user": [ + "dquia", "tevelit", - "tisundeo", - "dquia" + "tisundeo" ], "rsa.counters.dclass_c1": 6709, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4331,8 +4331,8 @@ "10.76.121.224" ], "related.user": [ - "ali", "scive", + "ali", "oloremi" ], "rsa.counters.dclass_c1": 6155, @@ -4390,9 +4390,9 @@ "10.195.8.141" ], "related.user": [ + "dolo", "ota", - "enimip", - "dolo" + "enimip" ], "rsa.counters.dclass_c1": 469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4445,13 +4445,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.179.60.167", - "10.173.13.179" + "10.173.13.179", + "10.179.60.167" ], "related.user": [ + "isn", "ptasn", - "apar", - "isn" + "apar" ], "rsa.counters.dclass_c1": 758, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4508,9 +4508,9 @@ "10.178.190.123" ], "related.user": [ - "ore", + "tiset", "orsi", - "tiset" + "ore" ], "rsa.counters.dclass_c1": 2290, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4591,13 +4591,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.207.198.239", - "10.8.147.176" + "10.8.147.176", + "10.207.198.239" ], "related.user": [ + "aUteni", "incididu", - "Loremips", - "aUteni" + "Loremips" ], "rsa.counters.dclass_c1": 3043, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4653,9 +4653,9 @@ "10.116.26.185" ], "related.user": [ - "litesseq", "oNe", - "nseq" + "nseq", + "litesseq" ], "rsa.counters.dclass_c1": 3218, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4704,13 +4704,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.86.180.150", - "10.253.127.130" + "10.253.127.130", + "10.86.180.150" ], "related.user": [ "mnisis", - "itasper", - "etconsec" + "etconsec", + "itasper" ], "rsa.counters.dclass_c1": 4564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4765,12 +4765,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.220.175.201", - "10.158.161.5" + "10.158.161.5", + "10.220.175.201" ], "related.user": [ - "rrors", - "dolo" + "dolo", + "rrors" ], "rsa.counters.event_counter": 4098, "rsa.db.database": "tsed", @@ -4856,8 +4856,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.248.16.82", - "10.150.27.144" + "10.150.27.144", + "10.248.16.82" ], "related.user": [ "ditautf", @@ -4919,9 +4919,9 @@ "10.146.131.76" ], "related.user": [ - "Except", "olo", - "orsi" + "orsi", + "Except" ], "rsa.counters.dclass_c1": 5844, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5032,9 +5032,9 @@ "10.253.175.129" ], "related.user": [ + "ate", "nrep", - "epteurs", - "ate" + "epteurs" ], "rsa.counters.dclass_c1": 6260, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5094,16 +5094,16 @@ ], "related.user": [ "aboris", - "atus", - "orumetMa" + "orumetMa", + "atus" ], "rsa.counters.event_counter": 5863, "rsa.db.database": "inventor", "rsa.internal.event_desc": "loi", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "atcupi" + "atcupi", + "block" ], "rsa.misc.category": "tation", "rsa.misc.disposition": "seddoe", @@ -5155,12 +5155,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.81.108.232", - "10.52.106.68" + "10.52.106.68", + "10.81.108.232" ], "related.user": [ - "aco", "neavolup", + "aco", "uaturve" ], "rsa.counters.event_counter": 5098, @@ -5168,8 +5168,8 @@ "rsa.internal.event_desc": "pis", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "Quisaut", - "allow" + "allow", + "Quisaut" ], "rsa.misc.category": "idol", "rsa.misc.disposition": "mmodico", @@ -5222,21 +5222,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.223.10.28", - "10.230.48.97" + "10.230.48.97", + "10.223.10.28" ], "related.user": [ - "erit", + "usmodte", "untex", - "usmodte" + "erit" ], "rsa.counters.event_counter": 4029, "rsa.db.database": "ommodi", "rsa.internal.event_desc": "itatiset", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "tconse", - "deny" + "deny", + "tconse" ], "rsa.misc.category": "uaerat", "rsa.misc.disposition": "met", @@ -5291,9 +5291,9 @@ "10.161.212.150" ], "related.user": [ - "tasnul", "sequamn", - "res" + "res", + "tasnul" ], "rsa.counters.dclass_c1": 4846, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5348,21 +5348,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.247.108.144", - "10.226.75.20" + "10.226.75.20", + "10.247.108.144" ], "related.user": [ - "fugia", "tema", - "maccusan" + "maccusan", + "fugia" ], "rsa.counters.event_counter": 3711, "rsa.db.database": "psa", "rsa.internal.event_desc": "stiaec", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "iat" + "iat", + "block" ], "rsa.misc.category": "officia", "rsa.misc.disposition": "ametcon", @@ -5412,12 +5412,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.192.15.65", - "10.97.22.61" + "10.97.22.61", + "10.192.15.65" ], "related.user": [ - "rExcep", "nimides", + "rExcep", "illumd" ], "rsa.counters.dclass_c1": 4173, @@ -5469,8 +5469,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.116.76.161", - "10.197.254.133" + "10.197.254.133", + "10.116.76.161" ], "related.user": [ "ide", @@ -5482,8 +5482,8 @@ "rsa.internal.event_desc": "ritat", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "quid", - "cancel" + "cancel", + "quid" ], "rsa.misc.category": "dipi", "rsa.misc.disposition": "asnulapa", @@ -5533,13 +5533,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.28.77.79", - "10.144.14.15" + "10.144.14.15", + "10.28.77.79" ], "related.user": [ - "rspic", + "upta", "utlab", - "upta" + "rspic" ], "rsa.counters.dclass_c1": 4810, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5591,12 +5591,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.18.15.43", - "10.248.177.182" + "10.248.177.182", + "10.18.15.43" ], "related.user": [ - "quei", "quaturve", + "quei", "caecat" ], "rsa.counters.dclass_c1": 983, diff --git a/x-pack/filebeat/module/microsoft/_meta/fields.yml b/x-pack/filebeat/module/microsoft/_meta/fields.yml index 6c034898d5f..fcc100e25bd 100644 --- a/x-pack/filebeat/module/microsoft/_meta/fields.yml +++ b/x-pack/filebeat/module/microsoft/_meta/fields.yml @@ -3,8 +3,3 @@ description: > Microsoft Module fields: - - name: microsoft - type: group - description: > - Fields from Microsoft ATP - fields: diff --git a/x-pack/filebeat/module/microsoft/defender_atp/_meta/fields.yml b/x-pack/filebeat/module/microsoft/defender_atp/_meta/fields.yml index 4fdc0266976..fae3cf2cfd0 100644 --- a/x-pack/filebeat/module/microsoft/defender_atp/_meta/fields.yml +++ b/x-pack/filebeat/module/microsoft/defender_atp/_meta/fields.yml @@ -1,4 +1,4 @@ -- name: defender_atp +- name: microsoft.defender_atp type: group release: beta default_field: false @@ -88,4 +88,4 @@ - name: evidence.userPrincipalName type: keyword description: > - Principal name of the user involved in the alert \ No newline at end of file + Principal name of the user involved in the alert diff --git a/x-pack/filebeat/module/microsoft/fields.go b/x-pack/filebeat/module/microsoft/fields.go index 1d9507c6237..2576fcb8ac7 100644 --- a/x-pack/filebeat/module/microsoft/fields.go +++ b/x-pack/filebeat/module/microsoft/fields.go @@ -19,5 +19,5 @@ func init() { // AssetMicrosoft returns asset data. // This is the base64 encoded gzipped contents of module/microsoft. func AssetMicrosoft() string { - return "eJzsfe9zG7eS4Pf3V+Dy4WynHDlxfuw939u90krORre2o7VkZ+vqVU2BmCaJJwwwBjCkmL/+Cg3McMjBkBIFUPLe+UNiS2SjuwE0+nd/R25g9YZUnGll1NT+hRDLrYA35H3vRyUYpnltuZJvyL/8hRCy/jV5r8pGwF8ImXIQpXmDv/6OSFrBJmD3x65qeENmWjV1+EkEtvvzKwIjU62q3lqn15fhE/3F+guWMAVZgi6orbtfxtZ1fzQIoAbekAlY2vt5CVPaCFvgIm/IlAoDG7+OooxsQWaQqdKEyxkYy+Wsh/95wM4RctL74jY1fYoENfZTXVIL17yCjY+0dLlfbv1iB47uz/Uc8FuEypJYXgF5ziX5dH32gtg5ECpAW7KkBlcnDS5frjGOIqrBKLGAMiuaXJLlnLM5omkstY0harqFNJtTOYOSWEWefQxYPduDPZeMlyDtRRnF/QZWS6W3f3cH9C8CXHJx3iJ66hDdi87CnZ4ZdbDT49QD7hDTINwGO4YdhOCVHW7tA3FkjdaObW6PoeXcBuJ7EKTG8JmE8lqlQ+z3pQS9cd72IOFPaDoErmpgfMrBIAZ9Hm3dgxNyqYzhEwFkQUUDhlANb8izT/JGqqV89pI8+wBL978LeanVTIMxz/Ca3fnGMOFYPOUMdyM5jR7sfYn61cnqS2W45QtwP7jWzfrfeygqwYKuuMxDUNi0jUXuRN4HZU8XlAs6EUjSaW3d/95TsaQaf3IFrNHcri5BGyUliP4Pr/0z5H70SS6ptFBeqaltv/u7nYPexxk710Dtr7TiYvWBjsj3A++6g0ymCHrfCzOh7N/cG54WhU8GtNcNtgUhbstunGDhxDuDk1JVlMu0mJ0jTFzpIajx+rQs3Q2PYsbr+yF1cUmoB+ceARQV7lm+L1KUlo7xKd+29RPbuC19EHaMqUba9AcN9zIVliCtu+CrOvHj677ukGwXuiM6jp5L7TSpmoq0rOvAknsysEVSgl0qfXPCpQU9pQxO5CaCagF6qbl10k43MDAehmgfbiZ86NEQECMdYmQ5Bw34O6vpdMoZmVNDJgCSqIkBveir4p1sNPQexGxbQntIGdonazXQujMtNsgbX31s/d0mUGVmWwdi1wr3OGfXc27c5wg37iyhcGW0tk3gv6ZLUoExdOb+TS1hqgIn9rwQHpzSd2pGzoGpEnScEA+LbyN1KDnrGwjSFo60xIADwpm5H1gelFolLUiL6iyXxlJpWzRMXDcZ2pt3QXCfNYrYcY8Tmp7UBtOTEgPGOO1tzq0hlHwA+we30r2IYfdPImI1EGvmqhElkbAATSbQnbuaagPkPVjqUKPe9bFe6vk7NTOvLim7AWteDDUFroFZsXpJbMCbko/ghYU/4bKH5knc0wALEAdwUii5fT83OHkOtQaGyovDpIQpl1ASJQWiZZ1eSypax7GqzKxIdmF27PH7cM8vzn/w6re/8Wi8r7V3uKXMEqFmfr/0YCOQOo66vT8t+Dm3HTXVlrNGUI3fDxt7MnoyBqAPOimxkzGAPH5SRrdkcdw9ef3/92T3nrhV82zIw66vmvyjQEK2t+XJYLeghwi97KhpMKrRLNPb+3C25br/D8MM3YUVSPsUkaNNyW2BfrOniB5Iq1dPEbG506meImJcHoZYXo2plRxP96SVQA+RHnnZNgUoU9pQI3pNzM7sfbB1CzhsBnrIQEl4mBWxpYcMoO+xIsa5KIe+nyNwse8ZirLPs2tAZiL2kQgH780+dgy1upH8SwNrNVp39IcfrTaN2jMlmXscqFVP3bIdETcLnlcc9rl7thEXaw/kOzUjbxcgLblC4UwaTASgpNYQBNWA9Cm/hZIYsA7Ixpc31zDjBku7CQPYDzZYuk0YgL7Xpgw9gen9S4cdzAFd9+DJ/XgwVyaTvto/l78pY/siUmyfSAOy5HLW/tLEjk3Ph/T18HcQ4boLd3eHxfqMvbhc/NSFxMau+zZzB9Rb9bUyd/FLbvb+8v8ue+0wuJdBNmzLBe9I63vLSkLJjC9Adk6yr1cRcCw6zH+R1wIpn6Ly93VENEYdGqpeFRq+ZNjrfvAQNxjpnqyQy2/90uQSL9LL4M22lFyvaiCMDiXIBAhwOwdNPl1I+8MvRGnyq1DU/viaTKjBU9QGyKZ81uhhltKQ7kPU3a+YbgyD5jM+E/gX3LdnKpebbZd13K781TsYlF5SXWZT6noSrUd2n5MXl5839D2KuVnbW0qIWRkLVXhEA9oO2hz8SQ3p7e7fSvMZl1S039nUVvbwIZf+tSMx4uLy8y8RFgT0B5x4OAs6jIZcTvH6rA/qUHE89PWZAy1BHyV2/RsuRS7OHxIl9fj2g6UI5rBY6ZN2sglWZPez0VbRulgrWnhRnOlypoQAZpX+GgWw494j5Ny4M8cNYZ51Pt1vQ1F9p7bVFrKD0U/Q4qvY5KmoqpUymOxWKUkmq8GmEaLhSwPGOoCGV7VYhX1yH8byJ6BsTgwvgTz/nti5bsjrn39+geU5BkB2q+zgxJNQXu/ACVMraSAfK9hXcyowZ7rzKTTVJFTL8Co8QtsQyHM6UQvoMcMn8Q5f+SDejNVAq9H7w76aY/PIrIKSN9t6WgpGfRPTHDvHAp8Sbv/evP7+h78aL9Jf1ShAW6T/PqDm784efEdXoMlr8lYyWptG+MiKMynvJddj0B8Y/IjkVsZW+fE1+WdH7kvy44/knwlTGss5cJv8oi/Jfxf2f7oPckM2mfJNdAulKuHJ2rpyCQWjQkwou8mrAXvkpLJ4baj1doVjIsiyVlzatnImiigejgK0Vpny09b6oKmBcSoQY8TUWKWdZi1XXutwv1hQwUt/MGJIETJVjSzdCyMAkedyFpSjvcmLmzdiADlFLDBchx1ho5FdWAlFy6fyzgV0iOF/AqnAas4iVkcwhfsfRlvYP/etEHbPPrVrjVZN2207Ib+ppduaoc3JJVHaGWNWkRuAeg/TnsSL95UwTSsGxhQLXhZlrqjr21byzECCphYveek42LMLF1zbhgpntG/43mXExcEr7sxuX6PomOGpCFcdC7hrDQYdKsg0qmdgu4/t5YTRmZKeHp0TPhNuNyd0llDQUPCvyxM/QqUskKtw3pkGfGgnqzFB6f60gZivIPASVipMLXjOzIYnbc4bPlD7n4Ru5mRuxvOOt869AeGst6eutVrCE/JfI8LoxcuUi0eI0btVnXF0eXZ6GXRfRqVjD69qpbc1XoJP5FeXBtE8DffHJ/9UoSGOpnvMlbppyjfrr6wNdq/noGV+Ql7//AtZIt8roJJQIeK+gtANQk3J2n9ElqDBg6WWCKDGEiW3ykU2mfjoauLXzcTIXc0Rtg28+0PpEhmHWU3A5lIJNVttB+KmXA+0WEJ+JmxONWXWM9Fd6hXij05zSRoZcnrEhs98tKI2dUG3D9TnDCLsiF2iRVE5JVPJNoyg6XJUpqFk3VIrKUON1ccoZPA5KMYa3UI0lsqS6pJIpSsq+J+x/F6lqyh/ypDlcDCLVDMZPEn3YtIa6w6ZV4JPITThijgdmZLliIK93u7C2Jx+lh0EcclUVQuw0QMw6kSlqMBbzbfEYK/eTNtHOshXbu3ocR47ypsnc/T4VUraeaJtWtenpsp5WWc5lY/E+LdtN7q0bHcg/1Qyd7eFHWLRrd6qmD69dtDMbyCist3oU2Lh1obLRxagTa+cotyVBxbZ34cethXQVGSuy/SY0iWU+d7BkGQTninTrdjqGG2mTffBfnx9+FppVZ0g1AaL8g0DSTVXXq2vGmH5d5aDJrSuRVv9su5lU1FJZ7HSXEIEhndae9Ej5XE1hNtnhqil9JExS6t62zMYMHarORSHt88awubcWTeqBHNC3jfGopnUB+puJbUjebnUwoGbtFOATacO7wUcQxPCTW4X9LzTMAUNkvkDQZ1qXfIFL51mg+chLsiuWkF2vcW8OJG3NddHo3C9nz4WdOtOIrdi5Yk1Tug5fc0htdVEkkR8owk3fdSF89JJ406enQyW7NLJVJNaAlUDRe6hEDv+p74qqEF+aaA52lFyp9uforV8XFJDEIly5Nwgcj+kZmpCpWCDoRlk2qyyGV7fWZUD17rIgGpd5NCe65SiaBPo6+RQM+hKvVfkcUzILfMx+sYMnst7vTmHis19cu2QYMH6gdjqhpDaEURZpNXuwxVr04jcYacRK0o1lqkKXnkcOuMFs7LVdHBCqAws2DAgRw4ILEBzm7N0ZAdh7eqhCLAX2dnl8slbvDjoHehf6a7SBduYUuMDsFO+Nnzi2q0P5oz1VAm6cv5spsgGdC5GXq4LJloXVRmCLFG8g9l8rE34vGml9y1BpcnvVyE1lps2IWDbr4brtzs0ViVpamzofTyyUB90WMly3ZC+u7ujXXgaYYt8rYvuKYpkU4Hm7L6yKErbEarYdhDWr2TrboYXS/5+D0hbgCxxJMdeuaUm/3iE7jVtaFdN/gEsbkc7xPLXgg/YHRpB70DMS/qcveq+GV7IUPUfxEzwcs1pl1sslSWUzEPHi3gCrVCzok1UeRSh3h7Eewv1Y/RM2ZB92HTfd61G8RFX/JXgbJX79uyQC5eIQGiuLfvTBPpo6kbkzJuOM/BjI4AMOqJ34lRJC7e5NdYOoQvp/XXrfqi0LI37Dz6qVLQIxRrA7Hmc/eidQsIytywYC1zCshfqRyXEWs0njYWehBjm6IepQU5b7z9/cdFhappM2K3HqfBsbSt3MQ0Nwe38Io9MX3+LGLdYAeYY1jYcNOucL70AfUKuALo+/Sd0BtjKO2S6T5VucRjAbsGESTC+z7//fq9vhdJkotUSZwCEnwZd05tdo/2kL8pLqm1qN10HOLVHJdwpNagOPdadUqLs1MZcV0rVEAKKud7iUxlGhLXZRXq9aPiZD28F8dFrAoBJSBGFuSRSye801ICWzK7sBxMZkZW3j35sgJbX415xH2Frwz8DypbczoOy7GU9OccFJ1htIomS382U+/uOlwCVlCKiOGakm/aCga8QAYekmhIclMLBnHTTpXwQM4r5gU1d74DxmS/na4wzYnzJqE+2KYP4DYynhInG2PZAhn8Mtgm/wo3byVATHfwbTvHF346rQEfXfvwNi1v0vi1TPqXs2T7Dy2F5jlgQaoxiHP2lbjei9iRu2Dt+A28IJfV8ZTijgpTc3LwktcaZKC8JWPYsrihTTQ+pvbznQ+/rbDStwII2pKYGu3gZbOTgexEwVVVOiqmNoP2wtAYs26nu+ffgsTS+3h5meJi8+GaqqpvhHcywbZQsuSzVMuTTMiUZ1PZll0kxyowBmdNGiBX50lDhnZ9lb5oY0t0uJNTI09X3eqZSl3aQ7lTCd1zeQBlqgdpEdGrQOxUMFPebbzrUTni5a+PEoCtEVlHXn+zk3RLbCLTo/X71WHj9XgfPK7katuvpgs5+SGGm0QgjLtawJmLrz/9uTfvHxJr2lIv8d7wj+VdcrbvGGsqGAWkjRxB3txnQnIoi8ppme0SucMlWbd5+H3sPoHthRv0CwG7MQS0HUniMw+ruoZtTM+9uKM7PG74PDZv7zN+2xqYrMzxrIW21CHOEdMucGM3ct7p/DytNiZPnknDMuWskE0C1+xE2wlujFgoIg7dTt4Wd+6MPXvg1wz5PT/rFYqqa9Caj9h+sUDaq7/F6LbhuzLE9fX1tBBEY9/gdJ0AauRJnfnXfk3HcU+otuOyu8Y593st8cU4+eEnzfGvkqS/6dbi9iOvV3gH9GL78nvv54hxZGkreOjEx9B5sRuR8GqAn4cQfIicLltzEjdSFWeXsZb8Z1Q0F2l5d2OnHlt74PuKpcaw/6xYmF+d7NdlU/rk9mqxD7LUs1xrtCTnz9Zmh36nwv9itzSKCevMTP3wT3HGTxnaVm8p2j1EjBRjPGeUflKUiC6o5nYhBFaBvysAlqQUdEQQGpMnaH2VjQ/uqql/5xEkqp2G09YXc7fPVq4vLbR2ahJax3qMwVpd94EDBO9dCriMtHklyIS254jNJUViMHNFa6ZzNa58N5Jc7pJet7qawqyP+1SHSu8t4ykoVOTgffr8mXDLRlODEWRhk675+Qp6/vaVVLeANju51ei6CRel9EveLYGTu6LFNdE6tn5Y4ZtzcOJX7ALzuUYrXc2N+CE/DR25udoRcreazGeh8I+ziLPvcjwUEHFA7nWswcyVKd3q8rT4yaXQj9H4Ez8Iw9h6k8vOPXsd40TXjuDiPl5HcOTrPVFUXR867wl0JuVc4xtX790wz+c6hoyTWp05x3IwqGzZmpQW19JGyxvqYd9JSaew84OR6i9/IlDiqyyXVj5OhN+yq76QrDQ+RI2KkNfJzJ0QpeU9Z2085rtw6EXRUO0bJ71oFVe+WQt7WTD7UWgM1yXODjaW2SaU4d/4oysWjmR1u8Ym6Jbx8Nf5+uZe1OQaGDqNPg8bH/i44LOJXt33HMk/fGxzy8+HcvUOeMy5VkyrG2asjMbPkd8pJ0pROh4FH9qfEgHN3Ztw4EqdCOLlHTMMYGDNtBHnr1idMlWDckWib/cYtCy5LuE3MAMGNPUzzfKBswYXRFNMtEhPQGN+sqOYCM3giHjwff5czQpGJ37nvRimTGc6hmvjmQo+kEYfVyfMun7MGbepQdOslzIBlQUVYJ8S3HZ5ejBQZejfX8D3OnVDila8uySv4qvyn3S8pl4aUYCkXESfDRDW2970R0pQ4em5m67GlXR4b4jH+kFqoapEtm+eUlDClIQQUOl+2MfyQrem04gVoQVdYyGVVeFzJ88iNdL9Aqzt8G6ZtFbj31RvLbYONGUmUsLVtMGzY9NDrmjSK1fPvMJoa0wyyiqmqcvcpzzE689AJ7yX71loteOn9Z20XuQrMaCJUqdjhgcb7e8t+5WKtNbJ+Xl5cNbitMenpcWR9u3peWf8PNTnQ73Qwef9bTUIAJn67ap6vce45JhT7nb+6vCAXA4Wqj0a2rrWhumQ3BgkLu7pq2FlSQ/o+/rCQWx1X7r2IKCaqzF3xNai421Y6Ai7E4TKiHs3Td0vwIYMjVJ73XMChdNgn0HbxED7jZRfKGXHiVamtxkEZeIKXP52S19FdNzmfqXa69+Un3z2nDURhssYtsKbvRfCpXxOIlbe2XZh2JW4cwRES9YqXmw6RrrqSLigXdBjIIJ0rnGB95RS0Hpm04O/QIb7+dHG3YKxUoQGUD8AOSArpBobPTkYkIq+KSVOWq+T+GV4VSeuAenAbA4c1Ot/ppUoPUXOVsMvBVoldYZpjFCRw089e9T1XaVNy21XWrfuiBYxig+3WFRtelKzDC7uJ9FliqTm4OJpVfvb5LXkeaiU+N8LpyhMusIAD88De3tbKuE++IN8NHQ1yOwpzI9VSbhhCBliDzSwWm9BHJm0yegQX3HZa6Flb5f4hlCa9gxllK/Jp1FwTfKLpYxTlh4U3WMwlqSiXU00r2JmOUVONU3vz90nYUC4vcVnyQZU+OXrdFrCXdRZBiuzRvjBVwDEil4W02TfuAyzJb41EU/K9KkGQ51wuTr59SbhiL8nE/Qfcf6ikYmW4Ofk2Hl+0rC6mgg4m56fWoTY1/LNLgouirwvl5KodfqWmOxs1WJUVU//TScCzbYNgQLuDHEVoUaWVu1uYfX7/B9VArn0C8Lfffn7/x+nHt99+63NuF1RTPnoml0rfpCxZ3nvB/mgX7EfYRp1gVKZWIkLNTtouJd1zQJl7LlYZTJip0iANZykFSM+VlAHjKr0XJBIfSAW0WFI+HE78YO8A9j5PDdRdn9Ql6qaZZLoUdlIaq1NXvmO9djaHWP8tTfaOtjUf+Zykhxa7rAeDDVSaUGyyrnsJ9S4OxJSPOppaUrM5Yg8lNdqNKELmdnlPXCgf3E/w/o4Lh3zQ/z8OV12rzH7y36McsbLnow+I7ETyUQ5HG8fdhZ9SR0ja2tjZnl363HYZ7W2WHfbJfIFut8HJ3R+ZbltW82PEw7Doa0q5cLxum7lcBplxcd6vbcNOXM4ctDCLtDAYzypsc64LpyIeQM8hideYbh2qj85UVTVy2xM1wE4e1rjpodh9gFv7bxDXqTvczGGa9UNxu6Ky/FcVj5qtcbPU8kMkw4OxGy68gZxpTM0ZV8myRI9lwSP2S6rlMOjw1FE3sqoLlUsYX314f0l+937UdVJqHJEvR00luPqPd+RLA3qkd2sjZKFhu1Nn3uSGnkN0RT62RWfRtK5OS2cJH9I+UJV6jIADWh/kONoH1UaCYw+GW6Yf0EAF1VWG3XJgM7gXaJ2wALkD2pTJptJuwEzb7WoDdEnttlb4ULgTkGxeUZ2qrKSDu6rpYHzxg6NPlA3SqZLALObJzwKDadoCqg7wdIatljKAVZN/ZIBa0+STMHzHqeTHC4PuBU/94ITObRU41TM50rKgDAejpC8/cbCNTGi89wBPZvXiJ3lr58nfdyYLZnVRmqR913vQHeTDIk93ALwQNLnEkAXIGZcJiyKHoHPkRstiWpgltyy5/JDFVKiloVX63JU+bGkX+aBniLowWXCZU5xwWYOuJqtkCe8D2DW7yQN8QUWOs8LrotbKqiJ9SAqhL34q0OOYHrbIdjeFmhVlDmY7wOnz35gsKnpbWJvKbbAJ2J1oARkehYrLTEhzmQ/pWphCTESROiy6Afv7jMCTdwbvwU7dC7EPO3VVbx/2zxlh/5IR9j9lhP0/MsL+ax7YVtWCTiCHSOmgpzfPZFE1ApXvySrDO9kCr28y6CVVI/isqvNo307LpGKWOgkpQOY5lBIDX1h634gsjE9IzLCDRrM81qQDnMeaNCvT1BlmkTLZlVVnMVWtss70gNsMIsQq6wyzXLDRrMkCvJH8VlKpDLAMh3Dxi+NKpkdh8Yuq7RxomcGtpqq6YCKDD9sBzhAkQbh6srLp3aIOsskCuW6KDDENprnljIoMBUSmoDOQbJUw66oPW1Kx+hPKSQ68FwW2Ac0C2beDyYO1T6zNAn0yqxe/5PFBm2LC7V+zNBpjpkg7K24LsFbJRbXJcs0RKjCdvsrNeB9/sllbPcBg597Pn9454oGj2pcFuO8mn66DXA/2lAvIYcOYYppjE/k0ZXH2JuAcuoEpeI1JikUWUcfrxU+lsfWgmX8i2EazLLAFn0IOM8ago7mCkicrGN2EzWWeU1KpshFgmMrB7QCczzLIJlWbJbVJZ/73oMcyyJMA1jDjxmqa3hOyhp1B49NQ52K1zsZrg53IdSb56jPz/RHPAN1qoFUGRdKXAuVCO59yvZwrbgo/YTY99BXVNMsBL0cKYVNAXvj59qnhcmOpTD7nuDR20uhUwwJbqOBnBeWA2iTHNb0e3dYkpwaLkxum6YddH9ppYBfMGS3L1HeAl6nDqm3roAxvEa8KppWqsnQlcoAzmGm8KvIkR4aORznYXN8kb89Um/QtS3ltas0TAxXUctskzz4TXEK6FjtrqCbpRJ0OLhbfpndrCeW7nhZToZI/5x3wDCn/zuZNLnUc0AwSx9nQGVBNnpsg1CzL0ZWzLBe4Vjq1AKsmzSzHNau4YTnEQmWyHNgccyAkWGyulBxuchnuG0CnzvjzUFOn48nlMrUFkqWiTPkB0MktUZVeM1Kaz4rIPK4Hw11K0OnfrLrwQ3mTg006mXoN1o94zXLIMhRuhpk4qYVBAJtaGtSFdyQlR5ca435ZsHmqOv8BaLitefJAQA26mmkq7aDnbgrIyyyA0z+9vhPZp09bU0ATANZqVlBTJxwY0AetaWqoGqjIod9pYMgH33U0E/D0THaQ07Zw7UFWusyAcXpHpsngGzbeN5whH8BA6kQAP/A4g3Fi4Ev6AxBr0JoMagZTyvBZBsFr6tReNqNZjnugWZlckTaaxbriJgBs043Y6sNsTPKumgsmUxdKRKfFPhSob9KZmnw7s+mPlQeaPqLXzfRMDXdVJ+/W2pSTLHnojRYZ3sLGgC5KnrrqPcvYijYylIMNlhlLq9Te4EXBpbF0mkEzWHBtc6jhi1pmaN1klW5kSjdrrC1apKPoaWMV+dhIMli6yx7JOCzvMxW8JGcaSm7JGdVl6GZosP17HB0/OSsjl8YmhCIYHKJPsL8BU4LESnW6fAgu83HubVULtYLBYMG9/JuqJllT7zueMcdD7zPCeWcaZnBLKrrdaGEdi5WzZnsYSHYkBTc4nKFdPWw9NlAipqlrpS0ZNh4lZDmnlnBLag3TsaPwgLTc+wyhiDE+WB0dCoTL0Nl9pC+04DL3RP4eqm61Pp6GWDUDOwd9sv68matm8KIRImEBuhtHZBWpqTZA3oOlOBHc31XaseD5OzUzry592esLch5GfL0kdh6ZUoTNgD9CGH2MaEvyAewf3Eow8X0eHuoszJviyO7uFuHinlgDVLP5CZc8ih/O3D1Cf+0t8YmzMDAZ4pWgjcRZv7MG57i2TdzjDdy3+rXvoCl/O+6Opq4Jd5hfPGLsu40oEtY03a3zKi5LruHW4q0YcxccYxr1iEBaD677gBOqpRiZeIndczOOA8f+uQYs0fClAWN3NO0+PFv5/r3yvcqAY3n8ql5ib3ukurzTTXfKLpw8Rhgb2/g5dmg3b6KUp5z9v3++oVvs4rwVCrh2/Gyg1ZAuifeeR9g9LhNqgPh07Q4bMrhV3S6FbzwOvrIbBd9hrrRvXx9lIyHUEAOA487o7nlVmkpD2RHG+w46TPulJaq960PDGo0T0HYhXYOuuFc3joX0ekk/mIMvuIAZEAELEIQaw2fSb9x6Xn/86GNL5keU37j+jpM+eZRJzw6zRvIvDWyPSaTxy9fD97COiYdNQWk1Gl76C8mUlIC5FWTJ7XxMUBASqQzpNHYNB5UX3du0cOxEedI9UULNOKOCOAxGTB/E4nGxw6VGxjQ+Hu/q+crE0eulsy3VVlZr6geeCk5NMVfZbQJvxHXmGs5SWQ81clKxP4In3g+A+EvjsMU3LQxiYQKoPjkVRjlDfOO+nWOwnPwWvnFCTuWq+9cAukVb3khLaHnCVFU3FnRcDGdx4zvC8pln32zvBc5Y3NgQbv/evP7+h7862/e8tx0tx76Joh3OaZE2YnZXxw1dgSb/1PnkzKuABiIXv/Wp63/yn3m5xnnj1O/cjwOTl/fJtmfbA1PcOifkw+/Xbx3toME7T9BfWnLDNNRUspXTKoN6JrZzQQhy6CW5fv+GXEj74+uX5OLD+dv/fEM+XUj7y0/k+XK+IhK4nYMmbK5MGJWmtAZm8VM//PK//tuLZ1GOgJ1nlHHb/ECZelLR+Dgek/n03fOaX/mzeNEiFb/i5dNCui+b9mB+YMO4Oz/wMXy3FNO1dfKZa9tQQd6dfogi+6eSkM+XddjJ+D9Kwkmctw7dr0aEIiH7hSduwVN8g3fsw4xaWNJHGJGOp/uSnJalRj+tP+UxdLqnl1X1oXHOh8ZCLs7eX/pXaTQ8VlFzxOjHhlPJa6rh7SYXlw6VEe+X4+GBkyCS8NCtPc7DVhMr/HSt4wqIHrq0LLn7MBXrgG1vln/8nTviAXAmIV5wFW74+eYRGKCyzrXOotfd9Umj5EPA8FJp24nkgdAtMcCGG8Dtar/kNUfmvaeHy1n7mLRkvR9jvISY3XgsL27ADi1faoxi3Kmc3m800HGIk8uayhmcdKYTU3LKZ42GkkxWCBNkiVlDcTlTH9h6YFA0OqItRxedZuh3IBLq/v0SruQOAA2VslCEzO70eUbpWVtKU9DCp+JnAF1bnQf4NMORmGaoFhY5rkOu/id1BqbSsmg9cfnU8m0L3tFxsr1a35nwCBrsWzsHLcGS61UNL8mn9hl7hw6wH8ll6wAbvAS/j2lq7aieIygTI6Zxi3Twi78kVIioMlGvP4gJblRjYt4CtHsDubSKGIuPOZfk08WoQGGYIJtNXiUX2Q6oqjOMfXOANZjUGb0ObIYSF/8ipk5FR397Bmz9aIVCgJwlnxSJODvlI6MWOqKBepWHil4ARhKG6QRTQsmvSi+pLodzugk5nWGylybU3fhbzKWbgF0CyLjqmbhr4n1j3MpS0Q/VeWQItozHzIgBhVyGPFdMS6i4dWIpjNiIk7gQVB4jjn8HB2WbINJzUQ4I3HRZriMpC2fBztCA3Xx5UkcqgWEXgkW6fnB3i9hTbTlrBNUE+0WTFonnb2/fvFMzNZ3Gp78DK+wcsm/vBrLXbkF/G3t4v3V4O3RPGzsHaUOy+CjapknZOeFuCT1+yXHUPxnQowirxjJ1XE6HJccRvmoYA2NGcMbO44c1Rzss8QTxIk7FnSm9IpHChAFuxxBOGzjCFo5OKmGAz9RKunfFya2Ycth9kQwUpU2qFun60Y28m5T4rqVYMyA4lB09wQ+zpQ9zSQy3TUR+EiwugCCiA9Q5NYSWqnavi50D10Qt5XrLPOMsvVVSVSN5tTiTw3Dfov64SoRT7rksnfxR2nQMoORXLoCcBsROBmy4i7NXdoT5OzmaMN7R/yjpCqMsuApZC2m5EKMxwoiU9e4PYITP17sK9RqpOTGeEDpROasHIsRPYE4XXDWoXTJV1VpVfCRDEY6N3FtJJwKLyKbkbDduXC46sZMRyW0MN7ROEkVgA8Okw2UOQDCyfodf7t3tvbLr+zZ67NZllo202+VsqTX6EsvAC3aIWX8nLQjf4xlI0Jy1JCFDMNFvO7WA2zk+tbHZbiQge8J+ODFWjwc/W5oOabv1aDS93k1TUC/8WhnpipqmnRFueQXGyXWv7WmoYTSIFHYhWVOIvRuBjQcfuA36jkfrkN7dj3a0frwbTT8UJtmQ0zuTFhzG+ygc0IYUrwXCHYTB10vd673U6aPunb9oSWjT+3cuWS/V4wiQPXK8EyBf73H8cf+WpRptcJwtu5t81EeVICnv2B3kx1GPY0raBoexU+qxBG3LT528cqex86ICO1ePECWhG55k4tEIHxvdcOylpFVWr9OOqM5HJYK/1iGy41xm8oT858nP339Pnr87P718Qc65sVzOGm7mUGIpfBQXoWYqe1+gXZEwzJadejzCNuMHRzLGtMrsVdxV/+l2NYZBd2PQI59s6PN9rgvDtP+u7rfn+EOcYjFTKmNt0teZYlSk6k63RchHWvLG+BWI0sTwiguqvXhyYtPdIYbvery8Cu+54eUxO430M+U/uYPQehG3+mKuL3m+OotTueuuY1gjVBr2/L/BSYS/GZyF4LiBXllGGXdlKp0zMWAQskFWKz2jkv+5I6ta5jsKd2X2AZzun6kRdk+5jtaSZur686tbDl8L3+LL9y7ayGr+Daiwc0Y1kFpDqSouabTgrieeLqnlIK3Zmx4v6DGpfUcflVjf+hHqTAfXXZ1nTnDVVFtshrQmdbdYPWKzoyBs7iJRp1CCphbKIllS2Y7z4YTPr+2KXfDsUqsFL7vmYeFztK5F0FQHByM0/3HP2qZOG1dw1kTy8khUdkuGXn92NUJmdHgoZk4uuI+ez7cV95EWcJ3SmXIo+H01T7hFnan3pV4l9CxCqNdRUWOlhhirtJf4DloFluJqz/BTJ+5Tz+LUV7wsBRxPyr3H9e4q5yLb25N7B8m5djzGcci9DKv1OgzJVRudfUlqQd2WufdZaQKS6VU95uXHVMgj2JN3yKDTnW35mzKWvKdszuWISVfSTJLjm21ef5KY6V9rcOLD6Ue+yZk5Ie9KWpPP+A+vH5VK+rrTvw8fTzKnC3CakwCqyZcG9IpgD0JTK2mg1ajixamO3gK/cxx5GXrgMQdZ87YLpPTk+75843i2JB0B1fUB+hiao94VU5zylNdhtn3G29bSG02MnG0YHl5uiG6kjNqx5mX38vjIs28jNVJjFyAWwcLMvxGULLks1dIQUwPjU87cb17G6gRDnuzwgjjyPL7rnBvyHDvCgmTrZwhDly963CKNxHf8HcwoW5FPZrPxbReBrbYLaZNn17oVjmCwj7z2fVMLUcFaNTxk7kUccLzrAxCp/t+oNMVyniH7NsnOr1CPdef16nWEYqQwetDCdw4g9jh5vWOkhgzf4HpvZd1bJH28C+iQmuM47LqAweberBMy/TYMdijekGJ/8TOWDaQcCTha4YYklzDlMvjqUThhV7+K1iNNBxG7gwrFMuG2dsBsqX+pBWPns81Ne+ilNNKbsvNhW0vZvDpyC/z1qshwMrCO+tuRZcjLhMt0E8SS3g1HMhYV5n08I0KqX7aD2+LbaK/L+yNTOwdY53379mBdU92eKffjl2tSlnM+aKVO3O1wtqxPfr8TeTb5zBLf1kLpVb4N/5upqfyXvR1jWkQ2u6i36nnsaXJs+dsrhL6HtkdTiQZUtf3Wd1M1egoKkFar+hDRUapmMnAu3OmMhzWdtQ17yhEQR1/dcdx7eKaqmspVdx/x2uE4fW+vLEC7Z6jgcqriSgE1N7lrhPbIjy0rssVsCXm7ok+/5MoR+LURYkX+o6GCTzmU5Bzrnr1zMIrKEiYFU+qGP1LQ/Q+YEL/+2n6mYkybT95tdh0OrxuLKveBI0z33/WP3RJhyk5wR3uf/Am5XtWe9LXnwDHH7+D45mmYFkmbyW6h7XDwjgj9zMTa1m4jcwxXXadcbmLnPYu10q23H0PMH9+NbHmvV07i49Tyos47h2gHK9zKez33LZpaqUyayCZSbh23H6SmNu6aZLKgJmW0vwdYh3L6xJAbLRJucw9qwl3pjNGi0am8IT2YBnRBZ+lsyjXo5M/TJuik6Y+boMOpzyBY4NaCRNUqvXHi4Cc7zZ2iN9ewlSqTWqPySxyjlnBD5l7jsqhevQp/PwsovAp/CXlNMbc/FaDj2XmBnEeMnnti+sFz9Lj2Rq0NyCnDQDRnUnE5Ba1H4q5Duo9CV1/x38v6qHv2CEi2fYmnvW2IXCkMa6usVyqyxNGO31sft3fH7hoziHX/R/8OwwSt8YGfvJ6DPo4/wunsIePp+RmOfnxBznD9OGqg7ZGapYzw+Qx0GP4JG1mYO5rzQtbQcY+RvQ13iz4zvU7RO3ea/3moV/L+rVHiu02u+J9xbw2/ySRTLv79LZEwU5b7Dazn1IxMgDLs2G2FelvpFx8fLui2OtsEqEGCy9YZaxunt/U38YQUw2fHqKjY7G/UTT28Hh207KQJN6ZJrnQiZEyWyuete1gMBTEErbP6QAeb0peeb93i5AqD07uk01EyJLrO4CGK/PwKUzt3P0Y96XkYkveXnjtwHBehxohikfNF3w6pBkd2FJmycEePNsnbNJpcgPkNBIs6U3ODb9bjSvoPEsrWn4jBeJ3S5OLq9N/fX5JL906R3+XI9JU1tpkqqQ/B9nqp4tiiGGJzYDfmICfy3YRw3h5ksaFzXb/OrkUYpoGGEYRrKbhDywXNB00hH0HJ9Xh0XUFGjQbE2VLbHG3CZx/LBRW89AcxgsS2IDxaV+tdghA5dgMrsy22E538NoE0Mey5tbUpOM6gzQIatzIHQxh9AreJz2Rb+aI0t6s9N4qpqsraJ+6OeHs8gkMoXoK/5BrEtqWZ2sWyFFQWxjzWwFu3spfhfwRq2xqtKLa+1LioFT9GWnUMYY8BQQwQqbg1gGxlcyrloHFG7nZTYVVEZCRme6S2zd3DEmYe/vHu9EN4915tLd89KFbpbd9/8p5t3NwUCyWaXAw4bec4yzDnppuM3Y7zbSS3hjz3SJgX2K0DC3vbibpb4AkiHaVGNJmk2buA6yfJbUgXONksOliAxkyBaSMIU5JBbZ2hfOX3cKS9wnKZU/p6xjuDvR2h7RCtlbZEOf7+9q+nsRTcKNtTnzulZ8dPsNwuMNhwsU6ob3YSbRTzb29/v7y4JO/pbcVl2Y31jm+ro+3oaZgbQxRHyApkDKjbRVanPsVLFpOnZ/sqx2J6vILNxy7Cb0nOrnZsOMuCVL44D116AxY7MRTH25RH7hXQUlz9l68b7gpzZDnUJFPfbvSXOBP6kbIbw7hqtOK7oG7li3tfEtNEUtSpIX8zVis5+5eJoOxGcGOh/Nur8LOX3W+5nAKL/2rKNSypiCoydCJ63yFUlsQoMnIsNcy4sXrlLPtjCoua2nlo1t/hQLZxGCCJTqljoekLoX29FlO614W80yc7zEFavfrL/w0AAP//w/8Rig==" + return "eJzsfV1zGzmS4Pv8Clw/nO0JNz3t/tgb3+xeaCX3tm5tt9ayuzcuJqICRCVJjFBAGUCRYv/6CyRQxSILRUoUQMl754duWyITmQkgkd/5LbmB9RtScaaVUTP7J0IstwLekPe9H5VgmOa15Uq+If/yJ0LI5tfkvSobAX8iZMZBlOYN/tr9+ZZIWkEP+KSEGcgSdEFt3X2MELuu4Q2Za9X0f6pBADXwhkzB0t7PS5jRRtgCl3tDZlQY2Pr1ANf2j8eUzJQmXM7BWC7nPUIuAnbk7NPVpPfFXbr6tAlq7Oe6pBY+8Qq2PtLS5X6584s9OLo/nxaA3yJUlsTyCshzLsnnT+cviF0AoQK0JStqcHXS4PLlBuMoohqMEksos6LJJVktOFsgmsZS2xiiZjtIswWVcyiJVeTZx4DVswPYc8l4CdJellHcb2C9Unr3d3dA/zLAJZcXLaJnDtGD6Czd6ZlTBzs9Tj3gDjENwm2wY9hRCF7b4dY+EEfWaO3Y5vYYWs5tIX4AQWoMn0soP6l0iP26kqC3ztsBJPwJTYfAdQ2MzzgYxKDPo517MCFXyhg+FUCWVDRgCNXwhjz7LG+kWslnL8mzD7By/7uUV1rNNRjzDK/ZnW8ME47FM85wN5LT6MHel6ifnay+UoZbvgT3g0+62fz7AEUlWNAVl3kICpu2tcidyPug7NmSckGnAkk6q63733sqVlTjT66BNZrb9RVoo6QE0f/hJ/8MuR99lisqLZTXambb7/5qF6APccYuNFD7M624WH+gI/L9yLvuIJMZgj70wkwp+zf3hqdF4bMB7XWDXUGI27IfJ1g68c5gUqqKcpkWswuEiSs9BDVen5Wlu+FRzHh9P6Qurwj14NwjgKLCPcv3RYrS0jE+5du2eWIbt6UPwo4x1Uib/qDhXqbCEqR1F3xdJ3583dcdku1Cd0TH0XOlnSZVU5GWdR1Yck8GtkhKsCulbyZcWtAzymAitxFUS9Arza2TdrqBgfEwRPt4M+FDj4aAGOkQI6sFaMDfWU1nM87IghoyBZBETQ3oZV8V72SjofcgZtcSOkDK0D7ZqIHWnWmxRd746mPr7zeBKjPfORD7VrjHOfu04MZ9jnDjzhIKV0Zr2wT+a7oiFRhD5+7f1BKmKnBizwvhwSl9p+bkApgqQccJ8bD4LlLHkrO5gSBt4UhLDDggnJn7geVBqVXSgrSoznJpLJW2RcPEdZOhvXkXBA9Zo4gd9zih6UltMD0pMWCM094W3BpCyQewv3Mr3YsYdn8SEauBWLNQjSiJhCVoMoXu3NVUGyDvwVKHGiUzrareUs/fqbl5dUXZDVjzYqgpcA3MivVLYgPelHwELyz8CZc9NCdxTwMsQRzBSaHk7v3c4uQF1BoYKi8OkxJmXEJJlBSIlnV6LaloHceqMvMi2YXZs8fvwz2/vPjOq9/+xqPxvtHe4ZYyS4Sa+/3Sg41A6jjq9v604OfcdtRUW84aQTV+P2zsZPRkDEAfdVJiJ2MAefykjG7J8rR78vr/78n+PXGr5tmQh11fNf1HgYTsbsuTwW5JjxF62VHTYFSjWaa39+Fsy3X/H4YZugsrkPYpIkebktsC/WZPET2QVq+fImILp1M9RcS4PA6xvBpTKzme7kkrgR4jPfKybQZQprShRvSamJ3Z+2DrFnDYDPSQgZLwMCtiRw8ZQD9gRYxzUQ59PyfgYt8zFGWfZ9eAzETsIxEO3pt97BRqdSP5lwY2arTu6A8/Wm8btedKMvc4UKueumU7Im6WPK847HP3fCsu1h7Id2pO3i5BWnKNwpk0mAhASa0hCKoB6TN+CyUxYB2QrS9vr2HGDZZ2EwawH2ywdJswAH2vTRl6AtP7l447mAO67sGT+/FgoUwmfbV/Ln9RxvZFpNg9kQZkyeW8/aWJHZueD+nr4e8gwnUX7u4Pi/UZe3m1/KELiY1d913mDqi36mtl7vKn3Oz96f9d9tphcC+DbNiVC96R1veWlYSSOV+C7JxkX68i4Fh0nP8irwVSPkXl7+uIaIw6NFS9LjR8ybDX/eAhbjDSPV0jl9/6pckVXqSXwZttKfm0roEwOpQgUyDA7QI0+Xwp7Xc/EaXJz0JR+/1rMqUGT1EbIJvxeaOHWUpDuo9Rd79iujEMms/4TOBfcN+eq1xutn3WcbvyV+9gUHpFdZlNqetJtB7ZfU5eXv22pe9RzM3a3VJCzNpYqMIjGtB20BbgT6rxzHP/VprPuaSi/c62tnKAD7n0rz2JEZdXv/0UYUFAf8CJh7Ogw2jI5RSvz+agDhXHY1+fBdAS9Eli17/gUuTy4iFRUo9vP1iKYI6LlT5pJ5tgRXY/G20VrcuNooUXxZku50oIYFbpr1EAO+49Qs6NO3PcEOZZ59P9thTVd2pXbSF7GP0ELb6KTZ+Kqlopg8lulZJkuh5sGiEavjRgrANoeFWLddgn92EsfwLKFsTwEsjzvxC70A15/eOPL7A8xwDIbpU9nHgSyusdOGFqJQ3kYwX7ak4F5kx3PoWmmoZqGV6FR2gXAnlOp2oJPWb4JN7hKx/Em7EaaDV6f9hXc2wemVVQ8mZXT0vBqG9immPnWOAzwu3fm9d/+e6vxov0VzUK0Bbpvw+o+buzB9/RNWjymryVjNamET6y4kzKe8n1GPQHBj8iuZWxVb5/Tf7ZkfuSfP89+WfClMZyDtwmv+hL8t+F/Z/ug9yQbaZ8E91CqUp4srauXEHBqBBTym7yasAeOaksXhtqvV3hmAiyrBWXtq2ciSKKh6MArVWm/LSNPmhqYJwKxBgxNVZpp1nLtdc63C+WVPDSH4wYUoTMVCNL98IIQOS5nAfl6GDy4vaNGEBOEQsM12FP2GhkF9ZC0fKpvHMBHWL4H0AqsJqziNURTOH+h9EW9s99K4Tds0/tRqNVs3bbJuQXtXJbM7Q5uSRKO2PMKnIDUB9g2pN48b4SpmnFwJhiycuizBV1fdtKnjlI0NTiJS8dB3t24ZJr21DhjPYt37uMuDh4xZ3Z7WsUHTM8FeGqYwF3rcGgQwWZRvUcbPexg5wwOlPS06NzwmfC7eeEzhIKGgr+TXniR6iUBXIdzjvTgA/tdD0mKN2fNhDzFQRewkqFqQXPmdnwpM15wwdq/5PQzZzMzXje8da5NyCc9fbUtVZLeEL+a0QYvXiZcfEIMXq3qjOOrs7ProLuy6h07OFVrfSuxkvwifzq0iCap+H++OyfKjTE0XSPuVK3Tflm85WNwe71HLTMJ+T1jz+RFfK9AioJFSLuKwjdINSMbPxHZAUaPFhqiQBqLFFyp1xkm4mPriZ+3UyM3NUcYdvAu9+VLpFxmNUEbCGVUPP1biBuxvVAiyXkR8IWVFNmPRPdpV4j/ug0l6SRIadHbPnMRytqUxd0+0B9ziDCntglWhSVUzKVbMMImq5GZRpK1h21kjLUWH2MQgafg2Ks0S1EY6ksqS6JVLqigv8Ry+9VuorypwxZDkezSDXTwZN0LyZtsO6QeSX4DEITrojTkSlZjijYm+0ujM3pZ9lDEJdMVbUAGz0Ao05Uigq81XxHDPbqzbR9pIN87daOHuexo7x9MkePX6WkXSTapk19aqqcl02WU/lIjH/bdqNLy3YH8g8lc3db2CMW3eqtiunTawfN/AYiKtuNPiMWbm24fGQJ2vTKKcp9eWCR/X3oYVsDTUXmpkyPKV1Cme8dDEk24Zky3YqtjtFm2nQf7MfXh6+VVtUEoTZYlG8YSKq58mp91QjLv7UcNKF1Ldrql00vm4pKOo+V5hIiMLzT2oseKY+rIdw+M0StpI+MWVrVu57BgLFbzaE4vH3WELbgzrpRJZgJed8Yi2ZSH6i7ldSO5OVSC0du0l4BNps5vJdwCk0IN7ld0PNOwww0SOYPBHWqdcmXvHSaDZ6HuCC7bgXZpx3mxYm8rbk+GYWb/fSxoFt3ErkVa0+scULP6WsOqZ0mkiTiG0246aMunJdOGnfybDJYsksnU01qCVQNFLmHQuz4n/qqoAb5pYHmZEfJnW5/ijbycUUNQSTKkXODyH2XmqkJlYIthmaQafPKZnh951UOXOsiA6p1kUN7rlOKom2gr5NDzaAr9V6RxzEhd8zH6BszeC7v9eYcKzYPybVjggWbB2KnG0JqRxBlkVa7D1esTSNyh51GrCjVWKYqeOVx6IwXzMpWs8EJoTKwYMuAHDkgsATNbc7SkT2EtauHIsBeZGefyydv8eKgd6B/pbtKF2xjSo0PwM74xvCJa7c+mDPWUyXoyvmzmSIb0LkYebkpmGhdVGUIskTxDmbzqTbht20rvW8JKk1+vQ6psdy0CQG7fjVcv92hsSpJU2ND79ORhfqgw0qWm4b03d0d7cLTCFvka110T1Ekmwo0Z/eVRVHaTlDFtoewfiVbdzO8WPL3e0DaEmSJIzkOyi01/ccjdK9pQ7tq+g9gcTvaIZa/FnzA7tAIeg9iXtLn7FX3zfBChqr/IGaCl2tBu9xiqSyhZBE6XsQTaIWaF22iyqMI9fYg3luon6Jnypbsw6b7vms1io+44q8EZ+vct2ePXLhCBEJzbdmfJtBHUzciZ950nIEfGwFk0BG9E6dKWrjNrbF2CF1K76/b9EOlZWncf/BRpaJFKNYA5sDj7EfvFBJWuWXBWOASVr1QPyoh1mo+bSz0JMQwRz9MDXLaev/5i4sOU9Nkwm4zToVna1u5j2loCO7mF3lk+vpbxLjFCjDHsLbhoNnkfOkl6Am5Buj69E/oHLCVd8h0nynd4jCA3YIJk2B8n3///V7fCqXJVKsVzgAIPw26pje7RvtJX5ZXVNvUbroOcGqPSrhTalAdeqo7pUTZqY25rpSqIQQUc73FZzKMCGuzi/Rm0fAzH94K4qPXBACTkCIKc0mkkt9qqAEtmX3ZDyYyIitvH/3YAC2vx73iPsLWhn8GlK24XQRl2ct6coELTrHaRBIlv50r9/c9LwEqKUVEccxIN+0FA18hAg5JNSM4KIWDmXTTpXwQM4r5kU1d74DxuS/na4wzYnzJqE+2KYP4DYynhInG2PZAhn8Mtgm/wo3byVATHfwbTvHF346rQCfXfvwNi1v0vi1TPqXs2SHDy2F5gVgQaoxiHP2lbjei9iRu2Dt+A28IJfVibTijgpTc3LwktcaZKC8JWPYsrihTTY+pvbznQ+/rbDStwII2pKYGu3gZbOTgexEwVVVOiqmtoP2wtAYs26vu+ffgsTS+3h5meJi8+GaqqpvhHcywbZSsuCzVKuTTMiUZ1PZll0kxyowBmbNGiDX50lDhnZ9lb5oY0t0uJNTI09X3eqZSl/aQ7lTCd1zeQBlqgdpEdGrQOxUMFPebbzrUJrzct3Fi0BUiq6jrT3byboldBFr0fr1+LLx+rYPnlVwP2/V0QWc/pDDTaIQRF2tYE7H153+/pv19Yk17xkX+O96R/DOu1l1jDWXDgLSRI4i72wxoTkUReU2zPSLXuGSrNu++j70H0L0wo34BYDfmqJYDKTzGYXX30C2oWXQ3FOfnDd+Hhi185m9bY9OVGZ63kHZahDlCumUmRjP3re7fw0pT4uS5JBxz7hrJBFDtfoSN8DaohQLC4O3UbWHn4eiDF37NsM/Tk36xmKqmvcmo/QcrlI3qe7xeS64bc2pPX18bQQTGPX6nCZBGrsS5X933ZBz3lHoLLrtrvGOf9zJfXpAPXtI83xl56ot+HW4v4nq1d0A/hi+/536+vECWhpK3TkwMvQfbETmfBuhJmPhD5GTBipu4kbo065y97LejuqFA26sLe/3Y0hvfJzw1jvXn3cLk8uKgJpvKP3dAk3WIvZblRqOdkHNfnxn6nQr/i/3aLCKotz/x3TfBHTdtbFe5qWz3GDVSgPGcUf5BWSmypJrTqRhUAfqmDFySWtARQWBAmqz9UbY2tK+q+pUnTlI5DaOtL+Run69fXV7t6tAktIz1HoWxuuwjBwreuRZyE2nxSJJLack1n0uKwmLkiNZK52xe+2wgv9whvWp1N4VdHfGvDpHeXcZTVqrIwfnw6yfCJRNNCU6chUG27usT8vztLa1qAW9wdK/TcxEsSu9J3C+CkbmTxzbRObV5WuKYcXPjVO4j8LpHKV7PjfkhPA0fubnZE3K1ms/noPONsIuz7Ld+LCDggNrpQoNZKFG60+Nt9ZFJo1uh9xN4Foax9yCVn3/0OsaLrhnH5UW8jOTO0Xmmqro4cd4V7krIvcIxrt6/Z5rptw4dJbE+dYbjZlTZsDErLailj5Q11se8k5ZKY+cBJ9db/EamxFFdrqh+nAy9YVd9J11peIgcESOtkZ87IUrJe8rafspx5daJoJPaMUp+2yqoer8U8rZm8qHWGqhJnhtsLLVNKsW580dRLh7N7HCLT9Ut4eWr8ffLvazNKTB0GH0eND72d8FhEb+67TuWefre4JBfDOfuHfOccamaVDHOXh2JmSe/U06SpnQ6DDyyPyQGnLsz49aROBPCyT1iGsbAmFkjyFu3PmGqBOOORNvsN25ZcFnCbWIGCG7scZrnA2ULLoymmG6RmILG+GZFNReYwRPx4Pn4u5wTikz81n03SpnMcA7V1DcXeiSNOKxOnnf5nDVoU4eiWy9hBiwLKsImIb7t8PRipMjQu7mG73HuhBKvfHVJXsFX5T/tfkm5NKQES7mIOBmmqrG9742QpsTJczNbjy3t8tgQj/GH1EJVi2zZPGekhBkNIaDQ+bKN4YdsTacVL0ELusZCLqvC40qeR26k+wVa3eHbMGurwL2v3lhuG2zMSKKEbWyDYcOmh17XpFGsnn+H0dSYZpBVTFWVu095jtG5h054L9m31mrJS+8/a7vIVWBGE6FKxY4PNN7fW/YzFxutkfXz8uKqwW2NSU+PI+vb1fPK+n+o6ZF+p6PJ+99qGgIw8dtV83yNcy8wodjv/PXVJbkcKFR9NLJ1rQ3VJfsxSFjY1VXDzpMa0vfxh4Xc6rhy70VEMVVl7oqvQcXdrtIRcCEOlxH1aJG+W4IPGZyg8rznAg6lwz6BtouH8Dkvu1DOiBOvSm01DsrAE7z86ZS8ju66yflMtdO9rz777jltIAqTNW6BNX0vgk/9mkKsvLXtwrQvceMEjpCoV7zcdoh01ZV0Sbmgw0AG6VzhBOsrZ6D1yKQFf4eO8fWni7sFY6UKDaB8AHZAUkg3MHw+GZGIvCqmTVmuk/tneFUkrQPqwW0MHNfofK+XKj1EzVXCLgc7JXaFaU5RkMBNP3vV91ylTcltV1m36YsWMIoNtttUbHhRsgkv7CfSZ4ml5uDyZFb5+W9vyfNQK/FbI5yuPOUCCzgwD+ztba2M++QL8u3Q0SB3ozA3Uq3kliFkgDXYzGK5DX1k0iajJ3DB7aaFnrdV7h9CadI7mFO2Jp9HzTXBp5o+RlF+WHiLxVySinI507SCvekYNdU4tTd/n4Qt5fIKlyUfVOmTozdtAXtZZxGkyAHtC1MFHCNyWUjbfeM+wIr80kg0Jd+rEgR5zuVy8ueXhCv2kkzdf8D9h0oq1oabyZ/j8UXL6mIm6GByfmodalvDP78iuCj6ulBOrtvhV2q2t1GDVVkx9T+dBjzbNggGtDvIUYSWVVq5u4PZb+9/pxrIJ58A/Oc///b+97OPb//8Z59zu6Sa8tEzuVL6JmXJ8sEL9nu7YD/CNuoEozK1EhFqdtJ2KemeA8rcc7HOYMLMlAZpOEspQHqupAwYV+m9IJH4QCqgxYry4XDiB3sHsPd5aqDu+qQuUTfNNNOlsNPSWJ268h3rtbM5xPpvabJ3tK35yOckPbbYZTMYbKDShGKTTd1LqHdxIGZ81NHUkprNEXssqdFuRBEyd8t74kL56H6C93dcOOSD/v9xuOpGZfaT/x7liJU9H31AZC+Sj3I42jjuPvyUOkHS1tbO9uzS57bLaG+z7LBP5gt0uw1O7uHIdNuymp8iHoZFXzPKheN128zlKsiMy4t+bRt24nLmoIV5pIXBeFZhm3NdOBXxCHqOSbzGdOtQfXSuqqqRu56oAXbyuMZND8XuA9zaf4O4Tt3hZo7TrB+K2zWV5b+qeNRsg5ullh8jGR6M3XDhLeRMY2rOuEqWJXoqCx6xX1Eth0GHp466kVVdqFzC+PrD+yvyq/ejbpJS44h8OWkqwfV/vCNfGtAjvVsbIQsNu5068yY39Byia/KxLTqLpnV1WjpL+JD2garUYwQc0Poox9EhqDYSHHsw3DL9gAYqqK4y7JYDm8G9QOuEBcgd0KZMNpV2C2babldboEtqd7XCh8KdgmSLiupUZSUd3HVNB+OLHxx9omyQTpUEZrFIfhYYzNIWUHWAZ3NstZQBrJr+IwPUmiafhOE7TiU/Xhh0L3jqByd0bqvAqZ7JkZYFZTgYJX35iYNtZELjvQd4Oq+XP8hbu0j+vjNZMKuL0iTtu96D7iAfF3m6A+CloMklhixAzrlMWBQ5BJ0jN1oWs8KsuGXJ5YcsZkKtDK3S5670YUu7zAc9Q9SFyYLLnOKEyxp0NV0nS3gfwK7ZTR7gSypynBVeF7VWVhXpQ1IIfflDgR7H9LBFtrsp1LwoczDbAU6f/8ZkUdHbwtpUboNtwO5EC8jwKFRcZkKay3xI18IUYiqK1GHRLdh/yQg8eWfwHuzUvRD7sFNX9fZh/5gR9k8ZYf9TRtj/IyPsv+aBbVUt6BRyiJQOenrzTBZVI1D5nq4zvJMt8Pomg15SNYLPqzqP9u20TCrmqZOQAmSeQykx8IWl943IwviExAw7aDTLY006wHmsSbM2TZ1hFimTXVl1FlPVKutMD7jNIEKsss4wywUbzZoswBvJbyWVygDLcAiXPzmuZHoUlj+p2i6AlhncaqqqCyYy+LAd4AxBEoSrp2ub3i3qIJsskOumyBDTYJpbzqjIUEBkCjoHydYJs676sCUV6z+gnObAe1lgG9AskH07mDxY+8TaLNCn83r5Ux4ftCmm3P41S6MxZoq0s+J2AGuVXFSbLNccoQLT6avcjPfxJ5u11QMMduH9/OmdIx44qn1ZgPtu8uk6yPVgz7iAHDaMKWY5NpHPUhZnbwPOoRuYgteYpFhkEXW8Xv5QGlsPmvkngm00ywJb8BnkMGMMOporKHmygtFt2FzmOSWVKhsBhqkc3A7A+TyDbFK1WVGbdOZ/D3osgzwJYA1zbqym6T0hG9gZND4NdS5W62y8NtiJXGeSrz4z3x/xDNCtBlplUCR9KVAutPMp16uF4qbwE2bTQ19TTbMc8HKkEDYF5KWfb58aLjeWyuRzjktjp41ONSywhQp+VlAOqE1yXNPr0W1NcmqwOLlhln7Y9bGdBvbBnNOyTH0HeJk6rNq2DsrwFvGqYFqpKktXIgc4g5nGqyJPcmToeJSDzfVN8vZMtUnfspTXptY8MVBBLbdN8uwzwSWka7GzgWqSTtTp4GLxbXq3llC+62kxEyr5c94Bz5Dy72ze5FLHAc0gcZwNnQHV5LkJQs2zHF05z3KBa6VTC7Bq2sxzXLOKG5ZDLFQmy4HNMQdCgsXmSsnhJpfhvgF06ow/DzV1Op5crVJbIFkqypQfAJ3cElXpNSOl+byIzON6MNyVBJ3+zaoLP5Q3Odikk6k3YP2I1yyHLEPhZpiJk1oYBLCppUFdeEdScnSpMe6XBVukqvMfgIbbmicPBNSgq7mm0g567qaAvMoCOP3T6zuRff68MwU0AWCt5gU1dcKBAX3QmqaGqoGKHPqdBoZ88F1HMwFPz2QHOW0L1x5kpcsMGKd3ZJoMvmHjfcMZ8gEMpE4E8AOPMxgnBr6kPwCxBq3JoGYwpQyfZxC8pk7tZTOa5bgHmpXJFWmjWawrbgLANt2IrT7MxiTvqrlkMnWhRHRa7EOB+iadqcm3c5v+WHmg6SN63UzP1HDXdfJurU05zZKH3miR4S1sDOii5Kmr3rOMrWgjQznYYJmxtErtDV4WXBpLZxk0gyXXNocavqxlhtZNVulGpnSzxtqiRTqKnjVWkY+NJIOlu+yRjMPyfqOCl+RcQ8ktOae6DN0MDbZ/j6PjJ2dl5NLYhFAEg0P0CfY3YEqQWKlOlw/BZT7Ova1qodYwGCx4kH8z1SRr6n3HM+Z46H1GOO9MwxxuSUV3Gy1sYrFy3uwOA8mOpOAGhzO0q4etxwZKxDR1rbQlw8ajhKwW1BJuSa1hNnYUHpCWe58hFDHGB6ujQ4FwGTq7j/SFFlzmnsjfQ9Wt1sfTEKvmYBegJ5vPm4VqBi8aIRKWoLtxRFaRmmoD5D1YihPB/V2lHQuev1Nz8+rKl72+IBdhxNdLYheRKUXYDPgjhNHHiLYkH8D+zq0EE9/n4aHOwrwZjuzubhEu7ok1QDVbTLjkUfxw5u4J+mvviE+chYHJEK8EbSTO+p03OMe1beIeb+C+0699D03523F3NHVNuMP84hFj321EkbCm6W6dV3FZ8gluLd6KMXfBKaZRjwikzeC6DzihWoqRiZfYPTfjOHDsn2vAEg1fGjB2T9Pu47OV798r36sMOJbHr+ol9q5Hqss73Xan7MPJY4Sxsa2fY4d28yZKecrZ/4fnG7rFLi9aoYBrx88GWg3pknjveYTd4zKlBohP1+6wIYNb1e1S+Mbj4Cu7UfAd5kr79vVRNhJCDTEAOO6M7p9Xpak0lJ1gvO+gw7RfWqLauzk0rNE4AW0f0jXoint141RIb5b0gzn4kguYAxGwBEGoMXwu/cZt5vXHjz62ZH5E+Y3r7znp00eZ9OwwayT/0sDumEQav3w9fI/rmHjcFJRWo+Glv5BMSQmYW0FW3C7GBAUhkcqQTmPXcFR50b1NC8dOlCfdEyXUnDMqiMNgxPRBLB4XO1xqZEzj4/GuXqxNHL1eOttK7WS1pn7gqeDUFAuV3SbwRlxnruEslc1QIycV+yN44v0AiL80Dlt808IgFiaA6smZMMoZ4lv37QKD5eSX8I0JOZPr7l8D6BZteSMtoeWEqapuLOi4GM7ixneE5TPPvtndC5yxuLUh3P69ef2X7/7qbN+L3na0HPsminY4p0XaiNldHTd0DZr8U+eTM68CGohc/Nanrv/Jf+blBuetU793P45MXj4k257tDkxx60zIh18/vXW0gwbvPEF/ackN01BTydZOqwzqmdjNBSHIoZfk0/s35FLa71+/JJcfLt7+5xvy+VLan34gz1eLNZHA7QI0YQtlwqg0pTUwi5/67qf/9d9ePItyBOwio4zb5QfK1ElF4+N4TObTd89rfu3P4mWLVPyKl08L6b5sOoD5kQ3j7vzAx/DdUUw31slvXNuGCvLu7EMU2T+UhHy+rONOxv9REiZx3jp0vxoRioQcFp64BU/xDd6zD3NqYUUfYUQ6nu4rclaWGv20/pTH0OmeXlbVx8Y5HxoLuTx/f+VfpdHwWEXNCaMfW04lr6mGt5tcXjlURrxfjodHToJIwkO39jgPW02s8NO1TisgeujSsuTuw1RsAra9Wf7xd+6EB8CZhHjBVbjhF9tHYIDKJtc6i1531yeNkg8BwyulbSeSB0K3xAAbbgC368OS15yY954eLuftY9KS9X6M8RJiduOpvLgBO7R8qTGKcadyer/RQMchTi5rKucw6UwnpuSMzxsNJZmuESbIErOG4nKmPrL1wKBodERbji46y9DvQCTU/fslXMkdABoqZaEImd3p84zSs7aUpqCFT8XPALq2Og/wWYYjMctQLSxyXIdc/U/qDEylZdF64vKp5bsWvKNjsrta35nwCBrsW7sALcGST+saXpLP7TP2Dh1g35Or1gE2eAl+HdPU2lE9J1AmRkzjFungF39JqBBRZaLefBAT3KjGxLwlaPcGcmkVMRYfcy7J58tRgcIwQTabvEoush1QVWcY++YAazCpM3od2AwlLv5FTJ2Kjv72DNj60QqFADlPPikScXbKR0YtdEQD9SoPFb0AjCQM0wlmhJKflV5RXQ7ndBNyNsdkL02ou/G3mEs3BbsCkHHVM3HXxPvGuJWloh+q88gQbBmPmREDCrkMea6YllBx68RSGLERJ3EpqDxFHP8ODso2QaTnohwQuO2y3ERSls6CnaMBu/3ypI5UAsMuBMt0/eDuFrGn2nLWCKoJ9osmLRLP396+eafmajaLT38HVtgFZN/eLWQ/uQX9bezh/dbh7dA9a+wCpA3J4qNomyZl54S7JfT4JcdR/2xAjyKsGsvUaTkdlhxH+LphDIwZwRk7jx/XHO24xBPEizgVd670mkQKEwa4nUI4beEIOzg6qYQBPlMr6d4VJ7diymH3RTJQlLapWqbrRzfyblLiu5ZizYDgUHb0BD/Mjj7MJTHcNhH5SbC4AIKIDlAX1BBaqtq9LnYBXBO1kpst84yz9FZJVY3k1eJMDsN9i/rTKhFOueeydPJHadMxgJKfuQByFhCbDNhwF2ev7Ajzd3I0Ybyj/1HSFUZZcB2yFtJyIUZjhBEp690fwAifr3cd6jVSc2I8IXSqclYPRIifwoIuuWpQu2SqqrWq+EiGIpwaubeSTgUWkc3I+X7cuFx2YicjkrsYbmmdJIrAFoZJh8scgWBk/Q6/3Lvbe2U392302G3KLBtpd8vZUmv0JZaBF+wYs/5OWhC+x3OQoDlrSUKGYKLfbmoBtwt8amOz3UhAdsK+mxirx4OfLU3HtN16NJpe76cpqBd+rYx0RU3Tzgi3vALj5LrX9jTUMBpECruQrCnEwY3AxoMP3AZ9x6N1TO/uRzta39+Npu8Kk2zI6Z1JCw7jQxQOaEOKNwLhDsLg66Xu9UHq9En3zl+0JLTpwzuXrJfqaQTIATneCZCv9zh+f3jLUo02OM2W3U0+6pNKkJR37A7y46THMSVtg8PYKfVYgrbjp05eudPYRVGBXahHiJLQLU8y8WiEj41uOPZS0iqr12lPVOejEsFf6xDZcy4zeUL+c/LjX/5Cnr+7OLt6QS64sVzOG24WUGIpfBQXoeYqe1+gfZEwzJadeTzCNuMHRzLGtMrsVdxX/+l2NYZBd2PQI59s6PN9rgvDtP+u7rfn+EOcYjFTKmNt0jeZYlSk6k63Q8hHWvLG+BWI0sTwiguqvXhyYtPdIYbvery8Cu+54eUpO430M+U/u4PQehF3+mJuLnm+Ooszue+uY1gjVBr2/L/BSYS/GZyF4LiBXllGGXdlKp0zMWAQskFWKz2nkv+xJ6ta5jsKd2X2EZzun6kRds+4jtaSZur687NbDl8L3+LL9y7aymr+BaiwC0Y1kFpDqSouabTgrieerqjlIK05mB4v6CmpfUcflVjf+hHqTAfXXZ1nTnDVVFtshrQhdb9YPWGzoyBs7iJRZ1CCphbKIllS2Z7z4YTPz+2KXfDsSqslL7vmYeFztK5F0FQHByM0/3HP2rZOG1dwNkTy8kRUdkuGXn92PUJmdHgoZk4uuY+eL3YV95EWcJ3SmXIo+H01T7hFnan3pV4l9DxCqNdRUWOlhhirtJf4DloFluJqz/BTE/epZ3HqK16WAk4n5d7jeneVc5Ht7cm9o+RcOx7jNORehdV6HYbkuo3OviS1oG7L3PusNAHJ9Loe8/JjKuQJ7Mk7ZNDpzrb8RRlL3lO24HLEpCtpJsnxzS6vP0vM9K81OPHh9CPf5MxMyLuS1uQ3/IfXj0olfd3p34ePJ1nQJTjNSQDV5EsDek2wB6GplTTQalTx4lRHb4HfOY28DD3wmIOsedsFUnryfV++cTxbkk6A6uYAfQzNUe+KKU55yusw2z3jbWvprSZGzjYMDy83RDdSRu1Y87J7eXzk2beRGqmxCxCLYGHm3whKVlyWamWIqYHxGWfuNy9jdYIhT3Z4QRx5Ht9Nzg15jh1hQbLNM4Shyxc9bpFG4jv+DuaUrclns934tovAVruFtMmza90KJzDYR177vqmFqGCtGh4y9yIOON71AYhU/29VmmI5z5B922TnV6jHuvN69TpCMVIYPWjhO0cQe5q83jFSQ4ZvcL23su4tkj7eBXRIzWkcdl3AYHtvNgmZfhsGOxRvSHG4+BnLBlKOBBytcEOSS5hxGXz1KJywq19F65Gmg4jdUYVimXDbOGB21L/UgrHz2eamPfRSGulN2fmwraVsUZ24Bf5mVWQ4GVhH/e3IMuRlymW6CWJJ74YjGYsK8z6eESHVL9vBbfFttDfl/ZGpnQOs8759B7CuqW7PlPvxyw0pqwUftFIn7nY4W9Ynv9+JPJt8Zolva6H0Ot+G/83UVP7LwY4xLSLbXdRb9Tz2NDm2/O0VQj9A26OpRAOq2n7r+6kaPQUFSKtVfYzoKFUzHTgX7nTGw5rO2oYD5QiIo6/uOO09PFdVTeW6u4947XCcvrdXlqDdM1RwOVNxpYCam9w1Qgfkx44V2WK2grxd0WdfcuUI/NwIsSb/0VDBZxxKcoF1z945GEVlBdOCKXXDHyno/jtMiV9/Yz9TMabNJ+82uwmH141FlfvIEaaH7/rHbokwZSe4o71PfkI+rWtP+sZz4Jjjd3B88zTMiqTNZHfQdjh4R4R+ZmJta3eROYWrrlMut7HznsVa6dbbjyHmj+9GtrzXKyfxcWp5UeedQ7SHFW7lg577Fk2tVCZNZBspt47bD1JTG3dNMllQkzLa3wOsQzl9YsiNFgm3uQc14a50xmjR6FTekB5MA7qg83Q25QZ08udpG3TS9Mdt0OHUZxAscGtBomqV3jhx8JOd5k7RW2jYSZVJrVH5JU5RS7glcz/hsqhevQp/Pw8ovAp/CXlNMbc/FaDj2XmBnEeMnnti+sFz9Lj2Rq0NyCnDQDRnUnE5A61H4q5Duk9CV1/xP8j6qHv2BEi2fYlnvW2IXCkMa6usVyqyxMmO31sft3fH7hNmEOv+j/4dhgla4wM/eb0AfRp/hNPZQ8bT83Mc/fiCnOP6cdRA2xM1Sxnh8znoMPwTtrIw9zTnhayh4x4jexvuFn1mep2i9+40/+NYr+T9W6PEd5tc8z/i3hp+k0mmXP77WyJhriz3G1gvqBmZAGXYqdsK9bbSLz4+XNBtdbYJUIMEl50z1jZOb+tv4gkphs9PUVGx3d+om3r4aXTQspMm3JgmudKJkDFZKp+37mExFMQQtM7qAx1sSl96vnWLk2sMTu+TTifJkOg6g4co8vNrTO3c/xj1pOdxSN5feu7BcVyEGiOKZc4XfTekGhzZUWTKwh092iRv02hyAeY3ECzqTM0NvtmMK+k/SChbfyAG43VKk8vrs39/f0Wu3DtFfpUj01c22GaqpD4G208rFccWxRBbALsxRzmR7yaE8/Ygiw2d6/p1di3CMA00jCDcSME9Wi5oPmgK+QhKrsej6woyajQgzpba5mQTPvtYLqngpT+IESR2BeHJulrvE4TIsRtYm12xnejktwmkiWEvrK1NwXEGbRbQuJU5GMLoE7hNfC7byheluV0fuFFMVVXWPnF3xNvjERxC8RL8Fdcgdi3N1C6WlaCyMOaxBt66lb0M/z1Q29ZoRbH1pcZFrfgp0qpjCHsMCGKASMWtAWQrW1ApB40zcrebCqsiIiMx2xO1be4eljDz8Pd3Zx/Cu/dqZ/nuQbFK7/r+k/ds4+amWCrR5GLAWTvHWYY5N91k7HacbyO5NeS5R8K8wG4dWNjbTtTdAU8Q6Sg1oskkzd4FXD9LbkO6wGS76GAJGjMFZo0gTEkGtXWG8rXfw5H2CqtVTunrGe8M9naEtkO0VtoS5fj7y7+exVJwo2xPfe6Unp8+wXK3wGDLxTqlvtlJtFHMv7399eryiryntxWXZTfWO76tjraTp2FuDVEcISuQMaBuH1md+hQvWUyenu2rHIvZ6Qo2H7sIvyU5u9qx5SwLUvnyInTpDVjsxVCcblMeuVdAS3H1X75uuCvMkeVQk0x9u9Ff4kzoR8puDOOq0YrvgrqVL+59SUwTSVGnhvzNWK3k/F+mgrIbwY2F8m+vws9edr/lcgYs/qsZ17CiIqrI0KnofYdQWRKjyMix1DDnxuq1s+xPKSxqahehWX+HA9nFYYAkOqVOhaYvhPb1WkzpXhfyTp/sMAdp9fpP/zcAAP//faH2Mw==" } diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json index 84a3179ce56..530aa6f4cc1 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -974,8 +974,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.168.131.247", - "10.136.232.108" + "10.136.232.108", + "10.168.131.247" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -1674,8 +1674,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.216.83.142", - "10.224.198.212" + "10.224.198.212", + "10.216.83.142" ], "rsa.internal.messageid": "anomaly", "rsa.misc.category": "utodita", @@ -1712,8 +1712,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.28.226.128", - "10.122.76.148" + "10.122.76.148", + "10.28.226.128" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", diff --git a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json index 92415bf00c4..56a4f778e7f 100644 --- a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json @@ -59,7 +59,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -127,7 +127,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -195,7 +195,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -263,7 +263,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json index d6e9404a842..b5c79d506d1 100644 --- a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json @@ -67,7 +67,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -143,7 +143,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -219,7 +219,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -295,7 +295,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -372,7 +372,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -448,7 +448,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -524,7 +524,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -601,7 +601,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -677,7 +677,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -753,7 +753,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -829,7 +829,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json index 9f10e9f89f3..cc096b3acc2 100644 --- a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json @@ -316,7 +316,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", @@ -390,7 +390,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", @@ -465,7 +465,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", @@ -540,7 +540,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", @@ -615,7 +615,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json index 2daa90ba4b7..60c77401b35 100644 --- a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json @@ -88,7 +88,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -185,7 +185,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -282,7 +282,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -379,7 +379,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -476,7 +476,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -573,7 +573,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -670,7 +670,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -767,7 +767,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -864,7 +864,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -961,7 +961,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1058,7 +1058,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1155,7 +1155,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1252,7 +1252,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1349,7 +1349,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1443,7 +1443,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1540,7 +1540,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1637,7 +1637,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1731,7 +1731,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1828,7 +1828,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1925,7 +1925,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2022,7 +2022,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2119,7 +2119,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2216,7 +2216,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2313,7 +2313,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2410,7 +2410,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2507,7 +2507,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2604,7 +2604,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2701,7 +2701,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2798,7 +2798,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2894,7 +2894,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2992,7 +2992,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3076,7 +3076,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3173,7 +3173,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3257,7 +3257,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3355,7 +3355,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3439,7 +3439,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3537,7 +3537,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3634,7 +3634,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3731,7 +3731,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3815,7 +3815,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3913,7 +3913,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4007,7 +4007,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4104,7 +4104,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4201,7 +4201,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4285,7 +4285,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4382,7 +4382,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4479,7 +4479,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4576,7 +4576,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4673,7 +4673,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4770,7 +4770,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4867,7 +4867,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4964,7 +4964,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5061,7 +5061,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5158,7 +5158,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5255,7 +5255,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5352,7 +5352,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5449,7 +5449,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5546,7 +5546,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5640,7 +5640,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5737,7 +5737,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5834,7 +5834,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5931,7 +5931,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6028,7 +6028,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6125,7 +6125,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6222,7 +6222,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6319,7 +6319,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6416,7 +6416,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6513,7 +6513,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6610,7 +6610,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json index c85eeff2148..437a7ea5627 100644 --- a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json +++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json @@ -65,7 +65,7 @@ "tags": [ "forwarded" ], - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.15", @@ -140,7 +140,7 @@ "tags": [ "forwarded" ], - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.15", @@ -230,7 +230,7 @@ "tags": [ "forwarded" ], - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.15", diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index 6892f63bb1c..56ba3e6e78d 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -544,9 +544,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ + "10.245.200.97", "10.34.161.166", - "10.219.116.137", - "10.245.200.97" + "10.219.116.137" ], "rsa.internal.event_desc": "rehend", "rsa.internal.messageid": "428", @@ -592,8 +592,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.118.80.140", - "10.252.122.195" + "10.252.122.195", + "10.118.80.140" ], "rsa.internal.messageid": "401", "rsa.internal.msg": "inesci", @@ -965,8 +965,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.126.34.82", - "10.14.1.45" + "10.14.1.45", + "10.126.34.82" ], "rsa.internal.messageid": "196", "rsa.internal.msg": "vita", @@ -999,8 +999,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.251.20.13", - "10.101.74.44" + "10.101.74.44", + "10.251.20.13" ], "related.user": [ "rsitv" @@ -1173,8 +1173,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.54.14.189", - "10.216.125.252" + "10.216.125.252", + "10.54.14.189" ], "rsa.internal.messageid": "402", "rsa.internal.msg": "tvol", @@ -1208,8 +1208,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.97.124.211", - "10.53.113.23" + "10.53.113.23", + "10.97.124.211" ], "rsa.identity.user_sid_dst": "iumdol", "rsa.internal.messageid": "1154", @@ -1304,8 +1304,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.108.249.60", - "10.76.110.144" + "10.76.110.144", + "10.108.249.60" ], "rsa.internal.messageid": "931", "rsa.internal.msg": "qua", @@ -1378,8 +1378,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.147.88.219", - "10.31.190.145" + "10.31.190.145", + "10.147.88.219" ], "related.user": [ "corpori" @@ -1420,9 +1420,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.108.84.24", "10.113.100.237", - "10.251.248.228" + "10.251.248.228", + "10.108.84.24" ], "rsa.internal.event_desc": "volupt", "rsa.internal.messageid": "606", @@ -1820,8 +1820,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.116.173.79", - "10.185.37.32" + "10.185.37.32", + "10.116.173.79" ], "rsa.internal.messageid": "178", "rsa.internal.msg": "ende", @@ -2094,8 +2094,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.222.169.140", - "10.117.63.181" + "10.117.63.181", + "10.222.169.140" ], "rsa.internal.messageid": "195", "rsa.internal.msg": "magnaal", @@ -2318,8 +2318,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.125.85.128", - "10.78.29.246" + "10.78.29.246", + "10.125.85.128" ], "rsa.internal.messageid": "355", "rsa.internal.msg": "labo", @@ -2571,8 +2571,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.143.0.78", - "10.250.149.166" + "10.250.149.166", + "10.143.0.78" ], "rsa.internal.messageid": "713", "rsa.misc.action": [ @@ -2673,8 +2673,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.179.3.247", - "10.219.228.115" + "10.219.228.115", + "10.179.3.247" ], "rsa.internal.messageid": "373", "rsa.misc.action": [ diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index 5f0e879398a..3bd7adbce31 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -22,8 +22,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -83,8 +83,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -158,8 +158,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -320,8 +320,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -368,8 +368,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "66.102.9.147" + "66.102.9.147", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -380,8 +380,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -443,8 +443,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -494,8 +494,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -506,8 +506,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -557,8 +557,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -670,8 +670,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "209.85.16.38", - "10.105.21.199" + "10.105.21.199", + "209.85.16.38" ], "related.user": [ "badeyek" @@ -682,8 +682,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -861,8 +861,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -962,8 +962,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -974,8 +974,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1083,8 +1083,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "64.127.126.178" + "64.127.126.178", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1158,8 +1158,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "302", @@ -1317,8 +1317,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "209.73.177.115", - "10.105.21.199" + "10.105.21.199", + "209.73.177.115" ], "related.user": [ "badeyek" @@ -1328,8 +1328,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1378,8 +1378,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1425,8 +1425,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -1498,8 +1498,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1561,8 +1561,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1669,8 +1669,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1719,8 +1719,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1769,8 +1769,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1819,8 +1819,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -1882,8 +1882,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.47.218", - "204.13.51.238" + "204.13.51.238", + "10.105.47.218" ], "related.user": [ "nazsoau" @@ -1894,8 +1894,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1941,8 +1941,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -1997,8 +1997,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.194.14" + "68.142.194.14", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2009,8 +2009,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2057,8 +2057,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -2116,8 +2116,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2127,8 +2127,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2185,8 +2185,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2236,8 +2236,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "63.245.209.21" + "63.245.209.21", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -2248,8 +2248,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -2295,8 +2295,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.231.252", - "10.105.33.214" + "10.105.33.214", + "68.142.231.252" ], "related.user": [ "adeolaegbedokun" @@ -2461,8 +2461,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2510,8 +2510,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2558,8 +2558,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2618,8 +2618,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2714,8 +2714,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -2726,8 +2726,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2784,8 +2784,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2904,8 +2904,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3050,8 +3050,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3110,8 +3110,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3122,8 +3122,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3170,8 +3170,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3182,8 +3182,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3230,8 +3230,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3242,8 +3242,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3342,8 +3342,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3392,8 +3392,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3440,8 +3440,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "212.58.226.33", - "10.105.21.199" + "10.105.21.199", + "212.58.226.33" ], "related.user": [ "badeyek" @@ -3671,8 +3671,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -3782,8 +3782,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3794,8 +3794,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3854,8 +3854,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3914,8 +3914,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -3964,8 +3964,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4014,8 +4014,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4125,8 +4125,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4137,8 +4137,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -4197,8 +4197,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4308,8 +4308,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4378,8 +4378,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4424,8 +4424,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.194.14" + "68.142.194.14", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4436,8 +4436,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4715,8 +4715,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -4789,8 +4789,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -4840,8 +4840,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -4953,8 +4953,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.167" + "213.160.98.167", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -5091,8 +5091,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5141,8 +5141,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5191,8 +5191,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5249,8 +5249,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5297,8 +5297,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "217.12.10.96" + "217.12.10.96", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -5408,8 +5408,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.169", - "10.105.21.199" + "10.105.21.199", + "213.160.98.169" ], "related.user": [ "badeyek" @@ -5420,8 +5420,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_SWAPFAIL_MISS", - "GET" + "GET", + "TCP_SWAPFAIL_MISS" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5470,8 +5470,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -5683,8 +5683,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index 5d44c5bd12f..9fc69ab7754 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -150,7 +150,7 @@ "url.domain": "192.168.86.28", "url.original": "/dd.xml", "url.path": "/dd.xml", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "user_agent.os.full": "Mac OS X 10.13.5", @@ -208,7 +208,7 @@ "url.domain": "192.168.86.28", "url.original": "/ssdp/device-desc.xml", "url.path": "/ssdp/device-desc.xml", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "user_agent.os.full": "Mac OS X 10.13.5", diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json index 4df04b99e4d..eb9298f3d1b 100644 --- a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json @@ -45,7 +45,7 @@ "url.domain": "example.com", "url.query": "amremap", "user.name": "rci", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -208,7 +208,7 @@ "url.domain": "www5.example.org", "url.query": "con", "user.name": "tur", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -872,7 +872,7 @@ "url.domain": "internal.example.net", "url.query": "iades", "user.name": "tat", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -1313,7 +1313,7 @@ "url.domain": "internal.example.com", "url.query": "tet", "user.name": "ionevo", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -1370,7 +1370,7 @@ "url.domain": "example.net", "url.query": "orem", "user.name": "tenbyCi", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -1703,7 +1703,7 @@ "url.domain": "example.com", "url.query": "tutlab", "user.name": "siut", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -1921,7 +1921,7 @@ "url.domain": "api.example.net", "url.query": "tincu", "user.name": "mve", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -1978,7 +1978,7 @@ "url.domain": "mail.example.org", "url.query": "rsita", "user.name": "uat", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2143,7 +2143,7 @@ "url.domain": "mail.example.com", "url.query": "uptatemU", "user.name": "ore", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -2360,7 +2360,7 @@ "url.domain": "api.example.com", "url.query": "urExce", "user.name": "eporroq", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2417,7 +2417,7 @@ "url.domain": "example.net", "url.query": "erun", "user.name": "fugitse", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2579,7 +2579,7 @@ "url.domain": "www.example.net", "url.query": "quasiar", "user.name": "econs", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2693,7 +2693,7 @@ "url.domain": "internal.example.net", "url.query": "taliqui", "user.name": "leumiur", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", "user_agent.os.full": "Mac OS X 10.15.6", @@ -2750,7 +2750,7 @@ "url.domain": "mail.example.net", "url.query": "atnulapa", "user.name": "quaU", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2861,7 +2861,7 @@ "url.domain": "api.example.org", "url.query": "incidid", "user.name": "tiumto", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2969,7 +2969,7 @@ "url.domain": "example.org", "url.query": "atem", "user.name": "ntmo", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "LM-V350", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 10", @@ -3689,7 +3689,7 @@ "url.domain": "www5.example.com", "url.query": "Utenimad", "user.name": "ptate", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -3743,7 +3743,7 @@ "url.domain": "www.example.net", "url.query": "aqui", "user.name": "ventor", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -3908,7 +3908,7 @@ "url.domain": "www5.example.net", "url.query": "oremip", "user.name": "oluptat", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "LM-V350", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 10", @@ -4181,7 +4181,7 @@ "url.domain": "example.com", "url.query": "miurere", "user.name": "cin", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -4460,7 +4460,7 @@ "url.domain": "www5.example.com", "url.query": "luptasnu", "user.name": "mmo", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -5343,7 +5343,7 @@ "url.domain": "api.example.net", "url.query": "aborio", "user.name": "uira", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -5511,7 +5511,7 @@ "url.domain": "internal.example.org", "url.query": "nidol", "user.name": "mco", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index 2df5f4bcff8..ea74e1c3b31 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -23,8 +23,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.176.10.114", - "10.206.191.17" + "10.206.191.17", + "10.176.10.114" ], "related.user": [ "sumdo" @@ -182,8 +182,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uptassi", "rsa.misc.action": [ - "Blocked", - "giatq" + "giatq", + "Blocked" ], "rsa.misc.category": "llu", "rsa.misc.filter": "tconsec", @@ -208,7 +208,7 @@ ], "url.original": "https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte", "user.name": "tenima", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -240,8 +240,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.103.246.190", - "10.252.125.53" + "10.252.125.53", + "10.103.246.190" ], "related.user": [ "equun" @@ -255,8 +255,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ima", "rsa.misc.action": [ - "Allowed", - "llam" + "llam", + "Allowed" ], "rsa.misc.category": "aboris", "rsa.misc.filter": "atatnonp", @@ -281,7 +281,7 @@ ], "url.original": "https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid", "user.name": "equun", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -313,8 +313,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.61.78.108", - "10.136.153.149" + "10.136.153.149", + "10.61.78.108" ], "related.user": [ "ercit" @@ -328,8 +328,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inim", "rsa.misc.action": [ - "reetdolo", - "Blocked" + "Blocked", + "reetdolo" ], "rsa.misc.category": "osquir", "rsa.misc.filter": "ipit", @@ -386,8 +386,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.183.16.166", - "10.66.250.92" + "10.66.250.92", + "10.183.16.166" ], "related.user": [ "tessec" @@ -401,8 +401,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "avol", "rsa.misc.action": [ - "ist", - "Allowed" + "Allowed", + "ist" ], "rsa.misc.category": "lorema", "rsa.misc.filter": "sun", @@ -474,8 +474,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lupt", "rsa.misc.action": [ - "dun", - "Blocked" + "Blocked", + "dun" ], "rsa.misc.category": "rsitamet", "rsa.misc.filter": "usmod", @@ -532,8 +532,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.74.17.5", - "10.119.185.63" + "10.119.185.63", + "10.74.17.5" ], "related.user": [ "erc" @@ -547,8 +547,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tame", "rsa.misc.action": [ - "nsec", - "Blocked" + "Blocked", + "nsec" ], "rsa.misc.category": "emaperi", "rsa.misc.filter": "rehe", @@ -605,8 +605,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.78.151.178", - "10.25.192.202" + "10.25.192.202", + "10.78.151.178" ], "related.user": [ "quip" @@ -620,8 +620,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atquovo", "rsa.misc.action": [ - "amvolup", - "Allowed" + "Allowed", + "amvolup" ], "rsa.misc.category": "hil", "rsa.misc.filter": "deFinibu", @@ -678,8 +678,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.71.170.37", - "10.135.225.244" + "10.135.225.244", + "10.71.170.37" ], "related.user": [ "atu" @@ -693,8 +693,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ihilm", "rsa.misc.action": [ - "psaquae", - "Allowed" + "Allowed", + "psaquae" ], "rsa.misc.category": "eFinib", "rsa.misc.filter": "inesci", @@ -719,7 +719,7 @@ ], "url.original": "https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe", "user.name": "atu", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -865,7 +865,7 @@ ], "url.original": "https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos", "user.name": "ihilmo", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -897,8 +897,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.31.240.6", - "10.167.98.76" + "10.167.98.76", + "10.31.240.6" ], "related.user": [ "ratvolu" @@ -970,8 +970,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.135.160.125", - "10.0.55.9" + "10.0.55.9", + "10.135.160.125" ], "related.user": [ "volupta" @@ -1058,8 +1058,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nnum", "rsa.misc.action": [ - "ntoccae", - "Allowed" + "Allowed", + "ntoccae" ], "rsa.misc.category": "tium", "rsa.misc.filter": "uteirure", @@ -1116,8 +1116,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.5.126.127", - "10.252.124.150" + "10.252.124.150", + "10.5.126.127" ], "related.user": [ "inibusB" @@ -1131,8 +1131,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mod", "rsa.misc.action": [ - "xeacomm", - "Allowed" + "Allowed", + "xeacomm" ], "rsa.misc.category": "sauteiru", "rsa.misc.filter": "antiu", @@ -1277,8 +1277,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quid", "rsa.misc.action": [ - "itecto", - "Allowed" + "Allowed", + "itecto" ], "rsa.misc.category": "quam", "rsa.misc.filter": "adeser", @@ -1408,8 +1408,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.29.155.171", - "10.229.83.165" + "10.229.83.165", + "10.29.155.171" ], "related.user": [ "ulapar" @@ -1423,8 +1423,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedi", "rsa.misc.action": [ - "llitanim", - "Allowed" + "Allowed", + "llitanim" ], "rsa.misc.category": "apariat", "rsa.misc.filter": "tasnulap", @@ -1481,8 +1481,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.129.192.145", - "10.161.148.64" + "10.161.148.64", + "10.129.192.145" ], "related.user": [ "lor" @@ -1554,8 +1554,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.7.200.140", - "10.203.65.161" + "10.203.65.161", + "10.7.200.140" ], "related.user": [ "snost" @@ -1569,8 +1569,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tdol", "rsa.misc.action": [ - "Allowed", - "nte" + "nte", + "Allowed" ], "rsa.misc.category": "adeseru", "rsa.misc.filter": "mac", @@ -1642,8 +1642,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iutali", "rsa.misc.action": [ - "Blocked", - "atcupi" + "atcupi", + "Blocked" ], "rsa.misc.category": "isetq", "rsa.misc.filter": "equinesc", @@ -1700,8 +1700,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.24.111.229", - "10.39.31.115" + "10.39.31.115", + "10.24.111.229" ], "related.user": [ "fugi" @@ -1741,7 +1741,7 @@ ], "url.original": "https://example.com/luptatem/uaeratv.gif?dat=periam#dqu", "user.name": "fugi", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -1788,8 +1788,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "riss", "rsa.misc.action": [ - "Blocked", - "risnis" + "risnis", + "Blocked" ], "rsa.misc.category": "emqu", "rsa.misc.filter": "oluptas", @@ -1846,8 +1846,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.128.173.19", - "10.88.172.34" + "10.88.172.34", + "10.128.173.19" ], "related.user": [ "agnaaliq" @@ -1919,8 +1919,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.130.241.232", - "10.238.224.49" + "10.238.224.49", + "10.130.241.232" ], "related.user": [ "onse" @@ -1960,7 +1960,7 @@ ], "url.original": "https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug", "user.name": "onse", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2033,7 +2033,7 @@ ], "url.original": "https://example.com/emUte/molestia.htm?orroqu=elitsed#labore", "user.name": "Cic", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2106,7 +2106,7 @@ ], "url.original": "https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula", "user.name": "ueipsa", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2138,8 +2138,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.18.226.72", - "10.101.85.169" + "10.101.85.169", + "10.18.226.72" ], "related.user": [ "rroqu" @@ -2153,8 +2153,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "moles", "rsa.misc.action": [ - "Allowed", - "vitaed" + "vitaed", + "Allowed" ], "rsa.misc.category": "billoi", "rsa.misc.filter": "suntex", @@ -2179,7 +2179,7 @@ ], "url.original": "https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema", "user.name": "rroqu", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2211,8 +2211,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.87.100.240", - "10.242.182.193" + "10.242.182.193", + "10.87.100.240" ], "related.user": [ "stenatus" @@ -2284,8 +2284,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.80.57.247", - "10.229.242.223" + "10.229.242.223", + "10.80.57.247" ], "related.user": [ "itasp" @@ -2357,8 +2357,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.106.77.138", - "10.193.66.155" + "10.193.66.155", + "10.106.77.138" ], "related.user": [ "iusmodt" @@ -2372,8 +2372,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uteir", "rsa.misc.action": [ - "Allowed", - "Section" + "Section", + "Allowed" ], "rsa.misc.category": "cididu", "rsa.misc.filter": "Utenima", @@ -2430,8 +2430,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.236.230.136", - "10.54.159.1" + "10.54.159.1", + "10.236.230.136" ], "related.user": [ "mUteni" @@ -2518,8 +2518,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tvolup", "rsa.misc.action": [ - "utemvel", - "Allowed" + "Allowed", + "utemvel" ], "rsa.misc.category": "untutlab", "rsa.misc.filter": "dol", @@ -2649,8 +2649,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.128.184.241", - "10.138.188.201" + "10.138.188.201", + "10.128.184.241" ], "related.user": [ "etur" @@ -2810,8 +2810,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "idolores", "rsa.misc.action": [ - "lestia", - "Blocked" + "Blocked", + "lestia" ], "rsa.misc.category": "risni", "rsa.misc.filter": "emacc", @@ -2868,8 +2868,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.33.144.10", - "10.202.224.79" + "10.202.224.79", + "10.33.144.10" ], "related.user": [ "rios" @@ -2883,8 +2883,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lit", "rsa.misc.action": [ - "Blocked", - "quu" + "quu", + "Blocked" ], "rsa.misc.category": "oluptate", "rsa.misc.filter": "exercita", @@ -2982,7 +2982,7 @@ ], "url.original": "https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex", "user.name": "CSe", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -3029,8 +3029,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "voluptas", "rsa.misc.action": [ - "olor", - "Allowed" + "Allowed", + "olor" ], "rsa.misc.category": "ataevita", "rsa.misc.filter": "nderi", @@ -3160,8 +3160,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.137.164.122", - "10.143.0.78" + "10.143.0.78", + "10.137.164.122" ], "related.user": [ "orissus" @@ -3233,8 +3233,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.30.87.51", - "10.156.177.53" + "10.156.177.53", + "10.30.87.51" ], "related.user": [ "psaquaea" @@ -3321,8 +3321,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatemse", "rsa.misc.action": [ - "upta", - "Blocked" + "Blocked", + "upta" ], "rsa.misc.category": "tlabo", "rsa.misc.filter": "aliqui", @@ -3379,8 +3379,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.141.195.13", - "10.180.150.47" + "10.180.150.47", + "10.141.195.13" ], "related.user": [ "taliq" @@ -3394,8 +3394,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itesse", "rsa.misc.action": [ - "Allowed", - "uip" + "uip", + "Allowed" ], "rsa.misc.category": "teturad", "rsa.misc.filter": "roquisqu", @@ -3452,8 +3452,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.255.40.12", - "10.166.195.20" + "10.166.195.20", + "10.255.40.12" ], "related.user": [ "lamcolab" @@ -3467,8 +3467,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mipsumq", "rsa.misc.action": [ - "Allowed", - "citation" + "citation", + "Allowed" ], "rsa.misc.category": "usant", "rsa.misc.filter": "Nem", @@ -3523,8 +3523,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.100.143.226", - "10.22.122.43" + "10.22.122.43", + "10.100.143.226" ], "related.user": [ "ute" @@ -3538,8 +3538,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ento", "rsa.misc.action": [ - "Blocked", - "Bonoru" + "Bonoru", + "Blocked" ], "rsa.misc.category": "luptasnu", "rsa.misc.filter": "quamni", @@ -3564,7 +3564,7 @@ ], "url.original": "https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu", "user.name": "ute", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", "user_agent.os.full": "Mac OS X 10.15.6", @@ -3596,8 +3596,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.121.9.5", - "10.119.53.68" + "10.119.53.68", + "10.121.9.5" ], "related.user": [ "ssec" @@ -3611,8 +3611,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dexea", "rsa.misc.action": [ - "tinvolup", - "Blocked" + "Blocked", + "tinvolup" ], "rsa.misc.category": "ende", "rsa.misc.filter": "onse", @@ -3755,8 +3755,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "epor", "rsa.misc.action": [ - "etquasia", - "Allowed" + "Allowed", + "etquasia" ], "rsa.misc.category": "iaturE", "rsa.misc.filter": "rep", @@ -3809,8 +3809,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.39.46.155", - "10.120.138.109" + "10.120.138.109", + "10.39.46.155" ], "related.user": [ "picia" @@ -3824,8 +3824,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "adipisc", "rsa.misc.action": [ - "exer", - "Blocked" + "Blocked", + "exer" ], "rsa.misc.category": "remagna", "rsa.misc.filter": "emvel", @@ -3850,7 +3850,7 @@ ], "url.original": "https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi", "user.name": "picia", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -3897,8 +3897,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ecillum", "rsa.misc.action": [ - "emp", - "Blocked" + "Blocked", + "emp" ], "rsa.misc.category": "ciati", "rsa.misc.filter": "elit", @@ -4333,8 +4333,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tDuisaut", "rsa.misc.action": [ - "upidatat", - "Allowed" + "Allowed", + "upidatat" ], "rsa.misc.category": "aliquide", "rsa.misc.filter": "deriti", @@ -4359,7 +4359,7 @@ ], "url.original": "https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam", "user.name": "tsedquia", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -4406,8 +4406,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rroq", "rsa.misc.action": [ - "fdeFin", - "Blocked" + "Blocked", + "fdeFin" ], "rsa.misc.category": "diduntut", "rsa.misc.filter": "ano", @@ -4533,8 +4533,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.248.108.55", - "10.120.215.174" + "10.120.215.174", + "10.248.108.55" ], "related.user": [ "prehend" @@ -4548,8 +4548,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rema", "rsa.misc.action": [ - "uatDu", - "Allowed" + "Allowed", + "uatDu" ], "rsa.misc.category": "ent", "rsa.misc.filter": "iscivel", @@ -4604,8 +4604,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.51.161.245", - "10.15.254.181" + "10.15.254.181", + "10.51.161.245" ], "related.user": [ "abo" @@ -4645,7 +4645,7 @@ ], "url.original": "https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam", "user.name": "abo", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -4677,8 +4677,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.7.152.238", - "10.129.66.196" + "10.129.66.196", + "10.7.152.238" ], "related.user": [ "equamn" @@ -4750,8 +4750,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.185.107.27", - "10.29.162.157" + "10.29.162.157", + "10.185.107.27" ], "related.user": [ "evelite" @@ -4765,8 +4765,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "orinrep", "rsa.misc.action": [ - "squirat", - "Blocked" + "Blocked", + "squirat" ], "rsa.misc.category": "sequa", "rsa.misc.filter": "orainci", @@ -4823,8 +4823,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.215.63.248", - "10.138.0.214" + "10.138.0.214", + "10.215.63.248" ], "related.user": [ "eavolupt" @@ -4838,8 +4838,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "odita", "rsa.misc.action": [ - "dqu", - "Blocked" + "Blocked", + "dqu" ], "rsa.misc.category": "ipex", "rsa.misc.filter": "ine", @@ -4864,7 +4864,7 @@ ], "url.original": "https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod", "user.name": "eavolupt", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -5115,8 +5115,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.249.1.143", - "10.124.177.226" + "10.124.177.226", + "10.249.1.143" ], "related.user": [ "isciveli" @@ -5156,7 +5156,7 @@ ], "url.original": "https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese", "user.name": "isciveli", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", "user_agent.os.full": "Mac OS X 10.15.6", @@ -5188,8 +5188,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.146.228.249", - "10.167.176.220" + "10.167.176.220", + "10.146.228.249" ], "related.user": [ "estla" @@ -5261,8 +5261,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.203.47.23", - "10.200.74.101" + "10.200.74.101", + "10.203.47.23" ], "related.user": [ "litesse" @@ -5276,8 +5276,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nde", "rsa.misc.action": [ - "iqu", - "Allowed" + "Allowed", + "iqu" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "ntincul", @@ -5334,8 +5334,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.24.23.209", - "10.162.78.48" + "10.162.78.48", + "10.24.23.209" ], "related.user": [ "ntore" @@ -5375,7 +5375,7 @@ ], "url.original": "https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor", "user.name": "ntore", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -5407,8 +5407,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.55.151.53", - "10.211.66.68" + "10.211.66.68", + "10.55.151.53" ], "related.user": [ "squir" @@ -5422,8 +5422,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "diconseq", "rsa.misc.action": [ - "umet", - "Allowed" + "Allowed", + "umet" ], "rsa.misc.category": "ciad", "rsa.misc.filter": "oeiusmod", @@ -5448,7 +5448,7 @@ ], "url.original": "https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest", "user.name": "squir", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -5521,7 +5521,7 @@ ], "url.original": "https://example.org/eius/evo.jpg?iarchit=volupt#ipis", "user.name": "mes", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -5626,8 +5626,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.124.119.48", - "10.26.222.144" + "10.26.222.144", + "10.124.119.48" ], "related.user": [ "nre" @@ -5641,8 +5641,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lloin", "rsa.misc.action": [ - "Blocked", - "ici" + "ici", + "Blocked" ], "rsa.misc.category": "quidolor", "rsa.misc.filter": "nonproi", @@ -5714,8 +5714,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "officiad", "rsa.misc.action": [ - "Allowed", - "antium" + "antium", + "Allowed" ], "rsa.misc.category": "emoeni", "rsa.misc.filter": "itvo", @@ -5740,7 +5740,7 @@ ], "url.original": "https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol", "user.name": "ten", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "LM-V350", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 10", @@ -5959,7 +5959,7 @@ ], "url.original": "https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu", "user.name": "tectobe", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", "user_agent.os.full": "Mac OS X 10.15.6", @@ -6105,7 +6105,7 @@ ], "url.original": "https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa", "user.name": "redolo", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "LM-V350", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 10", @@ -6137,8 +6137,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.13.125.101", - "10.97.202.149" + "10.97.202.149", + "10.13.125.101" ], "related.user": [ "colab" @@ -6152,8 +6152,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atcupi", "rsa.misc.action": [ - "Blocked", - "uaUten" + "uaUten", + "Blocked" ], "rsa.misc.category": "modt", "rsa.misc.filter": "magnidol", @@ -6225,8 +6225,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itautf", "rsa.misc.action": [ - "Blocked", - "mini" + "mini", + "Blocked" ], "rsa.misc.category": "gna", "rsa.misc.filter": "usmo", @@ -6283,8 +6283,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.10.25.145", - "10.224.249.228" + "10.224.249.228", + "10.10.25.145" ], "related.user": [ "mnisiuta" @@ -6298,8 +6298,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issuscip", "rsa.misc.action": [ - "Blocked", - "remap" + "remap", + "Blocked" ], "rsa.misc.category": "eetdolo", "rsa.misc.filter": "rsitam", @@ -6324,7 +6324,7 @@ ], "url.original": "https://www.example.org/iat/acom.html?umdolo=oluptass#umqu", "user.name": "mnisiuta", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "LM-V350", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 10", @@ -6371,8 +6371,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "neavolu", "rsa.misc.action": [ - "nofdeF", - "Blocked" + "Blocked", + "nofdeF" ], "rsa.misc.category": "remagnam", "rsa.misc.filter": "maveniam", @@ -6397,7 +6397,7 @@ ], "url.original": "https://www.example.com/onorum/umiure.gif?lites=admini#trumexer", "user.name": "aeabillo", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -6444,8 +6444,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ilmoles", "rsa.misc.action": [ - "Blocked", - "tatisetq" + "tatisetq", + "Blocked" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "liquide", @@ -6502,8 +6502,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.154.188.132", - "10.166.205.159" + "10.166.205.159", + "10.154.188.132" ], "related.user": [ "uptat" @@ -6640,8 +6640,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.172.159.251", - "10.254.119.31" + "10.254.119.31", + "10.172.159.251" ], "related.user": [ "usm" @@ -6655,8 +6655,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "imadmi", "rsa.misc.action": [ - "tatemacc", - "Blocked" + "Blocked", + "tatemacc" ], "rsa.misc.category": "tutlabor", "rsa.misc.filter": "eturad", @@ -6728,8 +6728,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "isnost", "rsa.misc.action": [ - "Allowed", - "oriosa" + "oriosa", + "Allowed" ], "rsa.misc.category": "uis", "rsa.misc.filter": "nemul", @@ -6801,8 +6801,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntut", "rsa.misc.action": [ - "nima", - "Blocked" + "Blocked", + "nima" ], "rsa.misc.category": "boru", "rsa.misc.filter": "umquia", @@ -6827,7 +6827,7 @@ ], "url.original": "https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi", "user.name": "eroi", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", "user_agent.os.full": "Mac OS X 10.15.6", @@ -6874,8 +6874,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tquovo", "rsa.misc.action": [ - "qua", - "Allowed" + "Allowed", + "qua" ], "rsa.misc.category": "ectet", "rsa.misc.filter": "lites", @@ -6932,8 +6932,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.131.81.172", - "10.139.90.218" + "10.139.90.218", + "10.131.81.172" ], "related.user": [ "hende" @@ -7005,8 +7005,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.152.217.174", - "10.128.43.71" + "10.128.43.71", + "10.152.217.174" ], "related.user": [ "mquiado" @@ -7020,8 +7020,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "olupt", "rsa.misc.action": [ - "Blocked", - "temvele" + "temvele", + "Blocked" ], "rsa.misc.category": "natuser", "rsa.misc.filter": "amnihil", @@ -7046,7 +7046,7 @@ ], "url.original": "https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta", "user.name": "mquiado", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -7078,8 +7078,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.217.193.148", - "10.26.149.221" + "10.26.149.221", + "10.217.193.148" ], "related.user": [ "uisa" @@ -7224,8 +7224,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.119.106.108", - "10.135.38.213" + "10.135.38.213", + "10.119.106.108" ], "related.user": [ "ore" @@ -7265,7 +7265,7 @@ ], "url.original": "https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota", "user.name": "ore", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index 423d10f5ac2..66ca65108fd 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -28,8 +28,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "", "rsa.misc.action": [ - "", - "" + "", + "" ], "rsa.misc.category": "", "rsa.misc.filter": "", diff --git a/x-pack/filebeat/modules.d/f5.yml.disabled b/x-pack/filebeat/modules.d/f5.yml.disabled index 633a0c5636a..5016213bea3 100644 --- a/x-pack/filebeat/modules.d/f5.yml.disabled +++ b/x-pack/filebeat/modules.d/f5.yml.disabled @@ -20,22 +20,3 @@ # "local" (default) for system timezone. # "+02:00" for GMT+02:00 # var.tz_offset: local - - firepass: - enabled: true - - # Set which input to use between udp (default), tcp or file. - # var.input: udp - # var.syslog_host: localhost - # var.syslog_port: 9509 - - # Set paths for the log files when file input is used. - # var.paths: - - # Toggle output of non-ECS fields (default true). - # var.rsa_fields: true - - # Set custom timezone offset. - # "local" (default) for system timezone. - # "+02:00" for GMT+02:00 - # var.tz_offset: local diff --git a/x-pack/functionbeat/Dockerfile b/x-pack/functionbeat/Dockerfile index 844d810830d..c041d74db61 100644 --- a/x-pack/functionbeat/Dockerfile +++ b/x-pack/functionbeat/Dockerfile @@ -10,8 +10,6 @@ RUN \ python3-venv \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/x-pack/libbeat/Dockerfile b/x-pack/libbeat/Dockerfile index ac25e26ac2b..c6cbeb8f869 100644 --- a/x-pack/libbeat/Dockerfile +++ b/x-pack/libbeat/Dockerfile @@ -10,8 +10,6 @@ RUN \ python3-venv \ && rm -rf /var/lib/apt/lists/* -ENV PYTHON_ENV=/tmp/python-env - RUN pip3 install --upgrade pip==20.1.1 RUN pip3 install --upgrade setuptools==47.3.2 RUN pip3 install --upgrade docker-compose==1.23.2 diff --git a/x-pack/metricbeat/metricbeat.reference.yml b/x-pack/metricbeat/metricbeat.reference.yml index 68178d0e715..45da035284f 100644 --- a/x-pack/metricbeat/metricbeat.reference.yml +++ b/x-pack/metricbeat/metricbeat.reference.yml @@ -969,8 +969,10 @@ metricbeat.modules: #-------------------------------- MySQL Module -------------------------------- - module: mysql metricsets: - - "status" - # - "galera_status" + - status + # - galera_status + # - performance + # - query period: 10s # Host DSN should be defined as "user:pass@tcp(127.0.0.1:3306)/" diff --git a/x-pack/metricbeat/module/aws/_meta/docs.asciidoc b/x-pack/metricbeat/module/aws/_meta/docs.asciidoc index 32afafebf86..fe9aeea007f 100644 --- a/x-pack/metricbeat/module/aws/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/aws/_meta/docs.asciidoc @@ -2,10 +2,12 @@ This module periodically fetches monitoring metrics from AWS CloudWatch using https://docs.aws.amazon.com/AmazonCloudWatch/latest/APIReference/API_GetMetricData.html[GetMetricData API] for AWS services. -Note: extra AWS charges on GetMetricData API requests will be generated by this module. All metrics are enabled by default. +IMPORTANT: Extra AWS charges on CloudWatch API requests will be generated by this +module. Please see <> for more details. + [float] == Module-specific configuration notes @@ -188,6 +190,7 @@ real-time metrics for users to better understand the performance of their web applications and services. [float] +[[aws-api-requests]] == AWS API requests count per metricset This session is to document what are the AWS API called made by each metricset in `aws` module. This will be useful for users to estimate costs for using `aws` diff --git a/x-pack/metricbeat/module/aws/ec2/_meta/data.json b/x-pack/metricbeat/module/aws/ec2/_meta/data.json index e1726219cf6..8b1c43a1d19 100644 --- a/x-pack/metricbeat/module/aws/ec2/_meta/data.json +++ b/x-pack/metricbeat/module/aws/ec2/_meta/data.json @@ -3,12 +3,12 @@ "aws": { "ec2": { "cpu": { - "credit_balance": 576, - "credit_usage": 0.217777, + "credit_balance": 144, + "credit_usage": 0.061395, "surplus_credit_balance": 0, "surplus_credits_charged": 0, "total": { - "pct": 2.1374965268131265 + "pct": 1.1651199407241788 } }, "diskio": { @@ -27,21 +27,21 @@ }, "instance": { "core": { - "count": 2 + "count": 1 }, "image": { - "id": "ami-f920cd94" + "id": "ami-04bc3da8f14823e88" }, "monitoring": { "state": "disabled" }, "private": { - "dns_name": "ip-10-0-0-148.ec2.internal", - "ip": "10.0.0.148" + "dns_name": "ip-172-31-9-119.us-west-1.compute.internal", + "ip": "172.31.9.119" }, "public": { - "dns_name": "ec2-54-226-109-162.compute-1.amazonaws.com", - "ip": "54.226.109.162" + "dns_name": "ec2-13-52-163-56.us-west-1.compute.amazonaws.com", + "ip": "13.52.163.56" }, "state": { "code": 16, @@ -51,16 +51,16 @@ }, "network": { "in": { - "bytes": 1510123.4, - "bytes_per_sec": 5033.7446666666665, - "packets": 3126.4, - "packets_per_sec": 10.421333333333333 + "bytes": 7375.4, + "bytes_per_sec": 24.584666666666667, + "packets": 49, + "packets_per_sec": 0.16333333333333333 }, "out": { - "bytes": 464863, - "bytes_per_sec": 1549.5433333333333, - "packets": 3031.2, - "packets_per_sec": 10.104 + "bytes": 11567, + "bytes_per_sec": 38.556666666666665, + "packets": 44.8, + "packets_per_sec": 0.14933333333333332 } }, "status": { @@ -70,24 +70,25 @@ } }, "tags": { - "Cost": "$614.01", - "Name": "container-registry-test-ui.elastic.co" + "Name": "mysql-test", + "created-by": "ks" } }, "cloud": { "account": { - "id": "627959692251", - "name": "elastic-test" + "id": "428152502467", + "name": "elastic-beats" }, - "availability_zone": "us-east-1b", + "availability_zone": "us-west-1b", "instance": { - "id": "i-77f84332" + "id": "i-0516ddaca5c1d231f", + "name": "mysql-test" }, "machine": { - "type": "t2.medium" + "type": "t2.micro" }, "provider": "aws", - "region": "us-east-1" + "region": "us-west-1" }, "event": { "dataset": "aws.ec2", diff --git a/x-pack/metricbeat/module/aws/ec2/ec2.go b/x-pack/metricbeat/module/aws/ec2/ec2.go index 6e597c61c25..f3374de8a3e 100644 --- a/x-pack/metricbeat/module/aws/ec2/ec2.go +++ b/x-pack/metricbeat/module/aws/ec2/ec2.go @@ -201,6 +201,10 @@ func (m *MetricSet) createCloudWatchEvents(getMetricDataResults []cloudwatch.Met // Note: tag values are not dedotted. for _, tag := range tags { events[instanceID].ModuleFields.Put("tags."+common.DeDot(*tag.Key), *tag.Value) + // add cloud.instance.name and host.name into ec2 events + if *tag.Key == "Name" { + events[instanceID].RootFields.Put("cloud.instance.name", *tag.Value) + } } machineType, err := instanceOutput[instanceID].InstanceType.MarshalValue() diff --git a/x-pack/metricbeat/module/azure/_meta/docs.asciidoc b/x-pack/metricbeat/module/azure/_meta/docs.asciidoc index 38e11f24a85..e828c89e41a 100644 --- a/x-pack/metricbeat/module/azure/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/azure/_meta/docs.asciidoc @@ -10,6 +10,9 @@ Additional azure API calls will be executed in order to retrieve information reg The azure module mericsets are `monitor`, `compute_vm` and `compute_vm_scaleset` +IMPORTANT: Extra Azure charges on metric queries may be generated by this module. +Please see <> for more details. + [float] === Dashboards @@ -111,6 +114,7 @@ so the `period` for `billing` metricset should be `24h` or multiples of `24h`. This metricset will collect application insights metrics, the `period` (interval) for the `app-insights` metricset is set by default at `300s`. [float] +[[azure-api-cost]] == Additional notes about metrics and costs Costs: Metric queries are charged based on the number of standard API calls. More information on pricing here https://azure.microsoft.com/id-id/pricing/details/monitor/. diff --git a/x-pack/metricbeat/module/googlecloud/_meta/docs.asciidoc b/x-pack/metricbeat/module/googlecloud/_meta/docs.asciidoc index b5a676d65ad..00846498770 100644 --- a/x-pack/metricbeat/module/googlecloud/_meta/docs.asciidoc +++ b/x-pack/metricbeat/module/googlecloud/_meta/docs.asciidoc @@ -1,6 +1,9 @@ This module periodically fetches monitoring metrics from Google Cloud Platform using https://cloud.google.com/monitoring/api/metrics_gcp[Stackdriver Monitoring API] for Google Cloud Platform services. -Note: extra GCP charges on Stackdriver Monitoring API requests will be generated by this module. + +IMPORTANT: Extra GCP charges on Stackdriver Monitoring API requests may be +generated by this module. Please see <> +for more details. [float] == Module config and parameters @@ -128,7 +131,8 @@ GCP monitoring data has a up to 240 seconds latency, which means latest monitori In googlecloud module, metrics are collected based on this ingest delay, which is also obtained from ListMetricDescriptors API. [float] -=== Rough estimation of the number of API Calls +[[gcp-api-requests]] +=== Rough estimation of the number of API calls Google Cloud Platform pricing depends of the number of requests you do to their API's. Here you have some information that you can use to make an estimation of the pricing you should expect. For example, imagine that you have a Compute Metricset activated and you don't want to exclude labels. You have a total of 20 instances running in a particular GCP project, region and zone. For example, if Compute Metricset fetches 14 metrics (which is the number of metrics fetched in the early beta version). Each of those metrics will attempt an API call to Compute API to retrieve also their metadata. Because you have 20 different instances, the total number of API calls that will be done on each refresh period are: 14 metrics + 20 instances = 34 API requests every 5 minutes if that is your current Period. 9792 API requests per day with one zone. If you add 2 zones more with the same amount of instances you'll have 19584 API requests per day (9792 on each zone) or around 587520 per month for the Compute Metricset. This maths must be done for each different Metricset with slight variations.