diff --git a/filebeat/module/apache/access/test/test-vhost.log-expected.json b/filebeat/module/apache/access/test/test-vhost.log-expected.json index d61237c3c8dd..b332788ad2b0 100644 --- a/filebeat/module/apache/access/test/test-vhost.log-expected.json +++ b/filebeat/module/apache/access/test/test-vhost.log-expected.json @@ -19,7 +19,7 @@ "source.ip": "192.168.33.2", "url.original": "/hello", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", diff --git a/filebeat/module/apache/access/test/test.log-expected.json b/filebeat/module/apache/access/test/test.log-expected.json index 7b15274997ad..ebe888475861 100644 --- a/filebeat/module/apache/access/test/test.log-expected.json +++ b/filebeat/module/apache/access/test/test.log-expected.json @@ -39,7 +39,7 @@ "source.ip": "192.168.33.1", "url.original": "/hello", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", diff --git a/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json b/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json index cdf664d927e2..e9680e5b7fbc 100644 --- a/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json +++ b/filebeat/module/apache/access/test/ubuntu-2.2.22.log-expected.json @@ -45,7 +45,7 @@ "source.ip": "192.168.33.1", "url.original": "/", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -73,7 +73,7 @@ "source.ip": "192.168.33.1", "url.original": "/favicon.ico", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -101,7 +101,7 @@ "source.ip": "192.168.33.1", "url.original": "/", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -129,7 +129,7 @@ "source.ip": "192.168.33.1", "url.original": "/favicon.ico", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -157,7 +157,7 @@ "source.ip": "192.168.33.1", "url.original": "/favicon.ico", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -185,7 +185,7 @@ "source.ip": "192.168.33.1", "url.original": "/test", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -213,7 +213,7 @@ "source.ip": "192.168.33.1", "url.original": "/hello", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", @@ -241,7 +241,7 @@ "source.ip": "192.168.33.1", "url.original": "/crap", "user.name": "-", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:50.0) Gecko/20100101 Firefox/50.0", "user_agent.os.full": "Mac OS X 10.12", diff --git a/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json b/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json index 448779366cea..c3f4a4932dac 100644 --- a/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json +++ b/filebeat/module/iis/access/test/test-ipv6zone.log-expected.json @@ -37,7 +37,7 @@ "source.address": "::1%0", "source.ip": "::1", "url.path": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.0", diff --git a/filebeat/module/iis/access/test/test.log-expected.json b/filebeat/module/iis/access/test/test.log-expected.json index 909bffb0e627..adb56a2eadd7 100644 --- a/filebeat/module/iis/access/test/test.log-expected.json +++ b/filebeat/module/iis/access/test/test.log-expected.json @@ -133,7 +133,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.path": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.0", diff --git a/filebeat/module/nginx/access/test/access.log-expected.json b/filebeat/module/nginx/access/test/access.log-expected.json index 38ced3a64acb..92519cc1e811 100644 --- a/filebeat/module/nginx/access/test/access.log-expected.json +++ b/filebeat/module/nginx/access/test/access.log-expected.json @@ -38,7 +38,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -86,7 +86,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -133,7 +133,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/adsasd", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -180,7 +180,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -228,7 +228,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -275,7 +275,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/test", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -322,7 +322,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/test", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -369,7 +369,7 @@ "source.geo.region_name": "Rheinland-Pfalz", "source.ip": "77.179.66.156", "url.original": "/test1", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -407,7 +407,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.original": "/test1", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36", "user_agent.os.full": "Mac OS X 10.12.0", @@ -445,7 +445,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -483,7 +483,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -521,7 +521,7 @@ "source.address": "127.0.0.1", "source.ip": "127.0.0.1", "url.original": "/taga", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", diff --git a/filebeat/module/nginx/access/test/test-with-host.log-expected.json b/filebeat/module/nginx/access/test/test-with-host.log-expected.json index 426b08eafd8e..a19686951847 100644 --- a/filebeat/module/nginx/access/test/test-with-host.log-expected.json +++ b/filebeat/module/nginx/access/test/test-with-host.log-expected.json @@ -32,7 +32,7 @@ "source.address": "10.0.0.2", "source.ip": "10.0.0.2", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -121,7 +121,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -170,7 +170,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.0", diff --git a/filebeat/module/nginx/access/test/test.log-expected.json b/filebeat/module/nginx/access/test/test.log-expected.json index 47d88c36eada..75caf6cf9f8a 100644 --- a/filebeat/module/nginx/access/test/test.log-expected.json +++ b/filebeat/module/nginx/access/test/test.log-expected.json @@ -31,7 +31,7 @@ "source.address": "10.0.0.2", "source.ip": "10.0.0.2", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -118,7 +118,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:49.0) Gecko/20100101 Firefox/49.0", "user_agent.os.full": "Mac OS X 10.12", @@ -165,7 +165,7 @@ "source.geo.region_name": "Land Berlin", "source.ip": "85.181.35.98", "url.original": "/ocelot", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.0", diff --git a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json index 6a22bb503ca5..4bf393a59064 100644 --- a/filebeat/module/nginx/ingress_controller/test/test.log-expected.json +++ b/filebeat/module/nginx/ingress_controller/test/test.log-expected.json @@ -336,7 +336,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/products/42", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.6", @@ -385,7 +385,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.6", @@ -433,7 +433,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/v2", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.6", @@ -482,7 +482,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.130 Safari/537.36", "user_agent.os.full": "Mac OS X 10.14.6", @@ -530,7 +530,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/products/42", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -579,7 +579,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -627,7 +627,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/products/42", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -675,7 +675,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -724,7 +724,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -772,7 +772,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/v2", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -821,7 +821,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Safari", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Safari/605.1.15", "user_agent.os.full": "Mac OS X 10.14.6", @@ -914,7 +914,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/v2", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -962,7 +962,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/favicon.ico", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1010,7 +1010,7 @@ "source.address": "192.168.64.1", "source.ip": "192.168.64.1", "url.original": "/v2/some", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json index abf3264f09f9..21a794b1d4cf 100644 --- a/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json +++ b/x-pack/filebeat/module/cylance/protect/test/generated.log-expected.json @@ -3161,7 +3161,7 @@ "user.name": "stenatus" }, { - "@timestamp": "2019-07-24T10:58:48.000Z", + "@timestamp": "2020-07-24T10:58:48.000Z", "event.action": "Alert", "event.code": "CylancePROTECT", "event.dataset": "cylance.protect", @@ -3186,7 +3186,7 @@ "rsa.network.alias_host": [ "squ2213.www.test" ], - "rsa.time.event_time": "2019-07-24T10:58:48.000Z", + "rsa.time.event_time": "2020-07-24T10:58:48.000Z", "service.type": "cylance", "tags": [ "cylance.protect", diff --git a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json index b06452aca740..b3f74874b99b 100644 --- a/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/bigipapm/test/generated.log-expected.json @@ -1556,8 +1556,8 @@ "observer.vendor": "F5", "process.pid": 1973, "related.ip": [ - "10.47.99.72", - "10.187.64.126" + "10.187.64.126", + "10.47.99.72" ], "rsa.internal.messageid": "01490500", "rsa.misc.category": "oremipsu", diff --git a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json index e783667b4924..6c58cc63ba7e 100644 --- a/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json +++ b/x-pack/filebeat/module/f5/firepass/test/generated.log-expected.json @@ -405,8 +405,8 @@ "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.18.220.102", - "10.230.12.79" + "10.230.12.79", + "10.18.220.102" ], "rsa.db.index": "obeataev", "rsa.internal.messageid": "kernel", @@ -835,8 +835,8 @@ "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.117.146.33", - "10.46.158.31" + "10.46.158.31", + "10.117.146.33" ], "rsa.db.index": "dun", "rsa.internal.messageid": "kernel", @@ -2303,8 +2303,8 @@ "observer.type": "VPN", "observer.vendor": "F5", "related.ip": [ - "10.65.175.9", - "10.225.181.30" + "10.225.181.30", + "10.65.175.9" ], "rsa.db.index": "uia", "rsa.internal.messageid": "kernel", diff --git a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json index e2670bf5b87d..3b9dc0716ec7 100644 --- a/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json +++ b/x-pack/filebeat/module/fortinet/clientendpoint/test/generated.log-expected.json @@ -186,8 +186,8 @@ "observer.vendor": "Fortinet", "process.pid": 5712, "related.ip": [ - "10.134.137.177", - "10.202.204.154" + "10.202.204.154", + "10.134.137.177" ], "related.user": [ "orsitame" @@ -241,8 +241,8 @@ "observer.vendor": "Fortinet", "process.pid": 6557, "related.ip": [ - "10.245.142.250", - "10.70.0.60" + "10.70.0.60", + "10.245.142.250" ], "related.user": [ "eos" @@ -296,8 +296,8 @@ "observer.vendor": "Fortinet", "process.pid": 2061, "related.ip": [ - "10.200.188.142", - "10.202.72.124" + "10.202.72.124", + "10.200.188.142" ], "related.user": [ "iusmodt" @@ -406,8 +406,8 @@ "observer.vendor": "Fortinet", "process.pid": 5037, "related.ip": [ - "10.66.108.11", - "10.198.136.50" + "10.198.136.50", + "10.66.108.11" ], "related.user": [ "uptatev" @@ -461,8 +461,8 @@ "observer.vendor": "Fortinet", "process.pid": 776, "related.ip": [ - "10.178.244.31", - "10.69.20.77" + "10.69.20.77", + "10.178.244.31" ], "related.user": [ "umdolor" @@ -626,8 +626,8 @@ "observer.vendor": "Fortinet", "process.pid": 2703, "related.ip": [ - "10.57.40.29", - "10.210.213.18" + "10.210.213.18", + "10.57.40.29" ], "related.user": [ "onse" @@ -736,8 +736,8 @@ "observer.vendor": "Fortinet", "process.pid": 7668, "related.ip": [ - "10.72.58.135", - "10.109.232.112" + "10.109.232.112", + "10.72.58.135" ], "related.user": [ "xea" @@ -846,8 +846,8 @@ "observer.vendor": "Fortinet", "process.pid": 7183, "related.ip": [ - "10.76.72.111", - "10.70.95.74" + "10.70.95.74", + "10.76.72.111" ], "related.user": [ "ivelits" @@ -901,8 +901,8 @@ "observer.vendor": "Fortinet", "process.pid": 6907, "related.ip": [ - "10.19.201.13", - "10.73.69.75" + "10.73.69.75", + "10.19.201.13" ], "related.user": [ "tat" @@ -1011,8 +1011,8 @@ "observer.vendor": "Fortinet", "process.pid": 1531, "related.ip": [ - "10.135.233.146", - "10.25.192.202" + "10.25.192.202", + "10.135.233.146" ], "related.user": [ "emeumfu" @@ -1066,8 +1066,8 @@ "observer.vendor": "Fortinet", "process.pid": 6051, "related.ip": [ - "10.104.134.200", - "10.121.219.204" + "10.121.219.204", + "10.104.134.200" ], "related.user": [ "uptat" @@ -1176,8 +1176,8 @@ "observer.vendor": "Fortinet", "process.pid": 5200, "related.ip": [ - "10.161.57.8", - "10.141.44.153" + "10.141.44.153", + "10.161.57.8" ], "related.user": [ "quisnos" @@ -1231,8 +1231,8 @@ "observer.vendor": "Fortinet", "process.pid": 3365, "related.ip": [ - "10.6.167.7", - "10.153.111.103" + "10.153.111.103", + "10.6.167.7" ], "related.user": [ "eumfug" @@ -1286,8 +1286,8 @@ "observer.vendor": "Fortinet", "process.pid": 1835, "related.ip": [ - "10.134.148.219", - "10.248.204.182" + "10.248.204.182", + "10.134.148.219" ], "related.user": [ "uioffi" @@ -1506,8 +1506,8 @@ "observer.vendor": "Fortinet", "process.pid": 2328, "related.ip": [ - "10.168.90.81", - "10.101.57.120" + "10.101.57.120", + "10.168.90.81" ], "related.user": [ "eporr" @@ -1561,8 +1561,8 @@ "observer.vendor": "Fortinet", "process.pid": 1156, "related.ip": [ - "10.14.211.43", - "10.130.14.60" + "10.130.14.60", + "10.14.211.43" ], "related.user": [ "litse" @@ -1616,8 +1616,8 @@ "observer.vendor": "Fortinet", "process.pid": 6003, "related.ip": [ - "10.60.129.15", - "10.248.101.25" + "10.248.101.25", + "10.60.129.15" ], "related.user": [ "evolup" @@ -1781,8 +1781,8 @@ "observer.vendor": "Fortinet", "process.pid": 6932, "related.ip": [ - "10.75.99.127", - "10.195.2.130" + "10.195.2.130", + "10.75.99.127" ], "related.user": [ "inibusB" @@ -1836,8 +1836,8 @@ "observer.vendor": "Fortinet", "process.pid": 6945, "related.ip": [ - "10.245.104.182", - "10.201.238.90" + "10.201.238.90", + "10.245.104.182" ], "related.user": [ "ovol" @@ -1946,8 +1946,8 @@ "observer.vendor": "Fortinet", "process.pid": 4153, "related.ip": [ - "10.184.18.202", - "10.4.157.1" + "10.4.157.1", + "10.184.18.202" ], "related.user": [ "oditem" @@ -2001,8 +2001,8 @@ "observer.vendor": "Fortinet", "process.pid": 1693, "related.ip": [ - "10.113.95.59", - "10.255.39.252" + "10.255.39.252", + "10.113.95.59" ], "related.user": [ "persp" @@ -2221,8 +2221,8 @@ "observer.vendor": "Fortinet", "process.pid": 55, "related.ip": [ - "10.9.12.248", - "10.9.18.237" + "10.9.18.237", + "10.9.12.248" ], "related.user": [ "uradi" @@ -2276,8 +2276,8 @@ "observer.vendor": "Fortinet", "process.pid": 228, "related.ip": [ - "10.41.123.102", - "10.83.130.226" + "10.83.130.226", + "10.41.123.102" ], "related.user": [ "tenim" @@ -2331,8 +2331,8 @@ "observer.vendor": "Fortinet", "process.pid": 4253, "related.ip": [ - "10.175.112.197", - "10.80.152.108" + "10.80.152.108", + "10.175.112.197" ], "related.user": [ "tametcon" @@ -2386,8 +2386,8 @@ "observer.vendor": "Fortinet", "process.pid": 2200, "related.ip": [ - "10.142.25.100", - "10.134.18.114" + "10.134.18.114", + "10.142.25.100" ], "related.user": [ "osqui" @@ -2991,8 +2991,8 @@ "observer.vendor": "Fortinet", "process.pid": 276, "related.ip": [ - "10.50.233.155", - "10.60.142.127" + "10.60.142.127", + "10.50.233.155" ], "related.user": [ "atv" @@ -3101,8 +3101,8 @@ "observer.vendor": "Fortinet", "process.pid": 3453, "related.ip": [ - "10.6.38.163", - "10.31.237.225" + "10.31.237.225", + "10.6.38.163" ], "related.user": [ "olup" @@ -3156,8 +3156,8 @@ "observer.vendor": "Fortinet", "process.pid": 2302, "related.ip": [ - "10.226.5.189", - "10.125.165.144" + "10.125.165.144", + "10.226.5.189" ], "related.user": [ "mvolu" @@ -3321,8 +3321,8 @@ "observer.vendor": "Fortinet", "process.pid": 1586, "related.ip": [ - "10.123.199.198", - "10.17.87.79" + "10.17.87.79", + "10.123.199.198" ], "related.user": [ "ratvolu" @@ -3376,8 +3376,8 @@ "observer.vendor": "Fortinet", "process.pid": 5137, "related.ip": [ - "10.38.86.177", - "10.115.68.40" + "10.115.68.40", + "10.38.86.177" ], "related.user": [ "mpo" @@ -3541,8 +3541,8 @@ "observer.vendor": "Fortinet", "process.pid": 5398, "related.ip": [ - "10.1.96.93", - "10.54.73.158" + "10.54.73.158", + "10.1.96.93" ], "related.user": [ "lloinven" @@ -3651,8 +3651,8 @@ "observer.vendor": "Fortinet", "process.pid": 6064, "related.ip": [ - "10.77.229.168", - "10.181.247.224" + "10.181.247.224", + "10.77.229.168" ], "related.user": [ "adol" @@ -3871,8 +3871,8 @@ "observer.vendor": "Fortinet", "process.pid": 4984, "related.ip": [ - "10.77.78.180", - "10.97.236.123" + "10.97.236.123", + "10.77.78.180" ], "related.user": [ "nisi" @@ -4256,8 +4256,8 @@ "observer.vendor": "Fortinet", "process.pid": 7128, "related.ip": [ - "10.76.125.70", - "10.54.23.133" + "10.54.23.133", + "10.76.125.70" ], "related.user": [ "oloreeu" @@ -4311,8 +4311,8 @@ "observer.vendor": "Fortinet", "process.pid": 2780, "related.ip": [ - "10.189.42.62", - "10.36.110.69" + "10.36.110.69", + "10.189.42.62" ], "related.user": [ "eque" @@ -4366,8 +4366,8 @@ "observer.vendor": "Fortinet", "process.pid": 3284, "related.ip": [ - "10.183.202.82", - "10.47.179.68" + "10.47.179.68", + "10.183.202.82" ], "related.user": [ "umfugi" @@ -4531,8 +4531,8 @@ "observer.vendor": "Fortinet", "process.pid": 3990, "related.ip": [ - "10.30.246.132", - "10.208.18.210" + "10.208.18.210", + "10.30.246.132" ], "related.user": [ "veniam" @@ -4586,8 +4586,8 @@ "observer.vendor": "Fortinet", "process.pid": 4337, "related.ip": [ - "10.106.249.91", - "10.19.119.17" + "10.19.119.17", + "10.106.249.91" ], "related.user": [ "lit" @@ -4641,8 +4641,8 @@ "observer.vendor": "Fortinet", "process.pid": 5275, "related.ip": [ - "10.29.109.126", - "10.181.41.154" + "10.181.41.154", + "10.29.109.126" ], "related.user": [ "labo" @@ -4806,8 +4806,8 @@ "observer.vendor": "Fortinet", "process.pid": 226, "related.ip": [ - "10.103.189.199", - "10.29.120.226" + "10.29.120.226", + "10.103.189.199" ], "related.user": [ "emu" @@ -4916,8 +4916,8 @@ "observer.vendor": "Fortinet", "process.pid": 5647, "related.ip": [ - "10.91.2.135", - "10.126.245.73" + "10.126.245.73", + "10.91.2.135" ], "related.user": [ "olore" @@ -4971,8 +4971,8 @@ "observer.vendor": "Fortinet", "process.pid": 2313, "related.ip": [ - "10.183.243.246", - "10.137.85.123" + "10.137.85.123", + "10.183.243.246" ], "related.user": [ "cid" @@ -5246,8 +5246,8 @@ "observer.vendor": "Fortinet", "process.pid": 4855, "related.ip": [ - "10.143.53.214", - "10.87.144.208" + "10.87.144.208", + "10.143.53.214" ], "related.user": [ "psumq" @@ -5356,8 +5356,8 @@ "observer.vendor": "Fortinet", "process.pid": 4493, "related.ip": [ - "10.194.67.223", - "10.161.64.168" + "10.161.64.168", + "10.194.67.223" ], "related.user": [ "tion" @@ -5411,8 +5411,8 @@ "observer.vendor": "Fortinet", "process.pid": 6094, "related.ip": [ - "10.120.148.241", - "10.100.154.220" + "10.100.154.220", + "10.120.148.241" ], "related.user": [ "rsitam" diff --git a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json index 18754e2db958..8e5b00aeef89 100644 --- a/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json +++ b/x-pack/filebeat/module/googlecloud/audit/test/audit-log-entries.json.log-expected.json @@ -79,7 +79,7 @@ "forwarded" ], "user.email": "xxx@xxx.xxx", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", "user_agent.os.full": "Mac OS X 10.15", @@ -136,7 +136,7 @@ "forwarded" ], "user.email": "xxx@xxx.xxx", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", "user_agent.os.full": "Mac OS X 10.15", @@ -188,7 +188,7 @@ "forwarded" ], "user.email": "xxx@xxx.xxx", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:71.0) Gecko/20100101 Firefox/71.0,gzip(gfe),gzip(gfe)", "user_agent.os.full": "Mac OS X 10.15", diff --git a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json index 4ab905ff64fc..555b06cb1da7 100644 --- a/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json +++ b/x-pack/filebeat/module/imperva/securesphere/test/generated.log-expected.json @@ -20,13 +20,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.81.122.126", - "10.70.155.35" + "10.70.155.35", + "10.81.122.126" ], "related.user": [ "magn", - "aqui", - "tatno" + "tatno", + "aqui" ], "rsa.counters.dclass_c1": 5910, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -106,13 +106,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.58.116.231", - "10.159.182.171" + "10.159.182.171", + "10.58.116.231" ], "related.user": [ "qua", - "temUten", - "uradi" + "uradi", + "temUten" ], "rsa.counters.dclass_c1": 3626, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -161,13 +161,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.232.27.250", - "10.18.124.28" + "10.18.124.28", + "10.232.27.250" ], "related.user": [ - "mquidol", + "lapariat", "modocons", - "lapariat" + "mquidol" ], "rsa.counters.dclass_c1": 6564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -227,8 +227,8 @@ ], "related.user": [ "oluptas", - "occae", - "intoc" + "intoc", + "occae" ], "rsa.counters.event_counter": 7243, "rsa.db.database": "tNequepo", @@ -352,12 +352,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.129.149.43", - "10.211.105.204" + "10.211.105.204", + "10.129.149.43" ], "related.user": [ - "labor", "orema", + "labor", "eveli" ], "rsa.counters.dclass_c1": 6855, @@ -415,9 +415,9 @@ "10.112.250.193" ], "related.user": [ - "ipsumdol", "ide", - "Exc" + "Exc", + "ipsumdol" ], "rsa.counters.dclass_c1": 6852, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -469,13 +469,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.192.34.76", - "10.251.20.13" + "10.251.20.13", + "10.192.34.76" ], "related.user": [ - "iquipe", + "ovol", "tnonpro", - "ovol" + "iquipe" ], "rsa.counters.dclass_c1": 3645, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -528,9 +528,9 @@ "10.59.138.212" ], "related.user": [ - "archite", + "boree", "idunt", - "boree" + "archite" ], "rsa.counters.dclass_c1": 248, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -583,13 +583,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.168.159.13", - "10.230.173.4" + "10.230.173.4", + "10.168.159.13" ], "related.user": [ - "isnostr", + "atemq", "inci", - "atemq" + "isnostr" ], "rsa.counters.dclass_c1": 6135, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -646,9 +646,9 @@ "10.49.167.57" ], "related.user": [ - "ccaeca", + "tali", "sau", - "tali" + "ccaeca" ], "rsa.counters.dclass_c1": 6818, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -708,16 +708,16 @@ ], "related.user": [ "lorsita", - "llamco", - "dolore" + "dolore", + "llamco" ], "rsa.counters.event_counter": 4603, "rsa.db.database": "uptate", "rsa.internal.event_desc": "aquae", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "accept", - "quasia" + "quasia", + "accept" ], "rsa.misc.category": "boreetdo", "rsa.misc.disposition": "aturve", @@ -774,9 +774,9 @@ "10.204.128.215" ], "related.user": [ - "paquioff", "nci", - "rum" + "rum", + "paquioff" ], "rsa.counters.event_counter": 332, "rsa.db.database": "isau", @@ -833,13 +833,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.200.68.129", - "10.34.148.166" + "10.34.148.166", + "10.200.68.129" ], "related.user": [ - "miu", "icabo", - "untutlab" + "untutlab", + "miu" ], "rsa.counters.dclass_c1": 5427, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -893,8 +893,8 @@ ], "related.user": [ "siu", - "conse", - "licabo" + "licabo", + "conse" ], "rsa.counters.dclass_c1": 6356, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -952,8 +952,8 @@ ], "related.user": [ "dipisci", - "olori", - "velite" + "velite", + "olori" ], "rsa.counters.dclass_c1": 7717, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1006,13 +1006,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.233.120.207", - "10.190.10.219" + "10.190.10.219", + "10.233.120.207" ], "related.user": [ "item", - "accusant", - "quamnih" + "quamnih", + "accusant" ], "rsa.counters.dclass_c1": 3278, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1093,13 +1093,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.248.184.200", - "10.100.98.56" + "10.100.98.56", + "10.248.184.200" ], "related.user": [ - "proident", + "boru", "ritati", - "boru" + "proident" ], "rsa.counters.dclass_c1": 5923, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1152,13 +1152,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.197.6.245", - "10.82.28.220" + "10.82.28.220", + "10.197.6.245" ], "related.user": [ "aecatcup", - "oluptat", - "dtempo" + "dtempo", + "oluptat" ], "rsa.counters.dclass_c1": 3071, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1211,8 +1211,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.167.252.183", - "10.6.27.103" + "10.6.27.103", + "10.167.252.183" ], "related.user": [ "redol", @@ -1276,8 +1276,8 @@ "10.88.45.111" ], "related.user": [ - "iameaque", "undeomni", + "iameaque", "lmole" ], "rsa.counters.event_counter": 6344, @@ -1341,9 +1341,9 @@ "10.29.119.245" ], "related.user": [ - "scipitl", "taliqui", - "edolorin" + "edolorin", + "scipitl" ], "rsa.counters.dclass_c1": 5140, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1411,8 +1411,8 @@ "rsa.internal.event_desc": "liquid", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "vitaed", - "allow" + "allow", + "vitaed" ], "rsa.misc.category": "enim", "rsa.misc.disposition": "Finibus", @@ -1463,13 +1463,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.105.190.170", - "10.182.152.242" + "10.182.152.242", + "10.105.190.170" ], "related.user": [ - "litan", "mquisn", - "doeiu" + "doeiu", + "litan" ], "rsa.counters.dclass_c1": 3474, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1528,9 +1528,9 @@ "10.123.166.197" ], "related.user": [ - "liquam", "emUte", - "min" + "min", + "liquam" ], "rsa.counters.event_counter": 7102, "rsa.db.database": "oluptat", @@ -1588,13 +1588,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.201.168.116", - "10.72.75.207" + "10.72.75.207", + "10.201.168.116" ], "related.user": [ - "urau", "eufug", - "eFini" + "eFini", + "urau" ], "rsa.counters.dclass_c1": 3348, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1651,8 +1651,8 @@ "10.58.133.175" ], "related.user": [ - "nde", "mfu", + "nde", "oco" ], "rsa.counters.dclass_c1": 3795, @@ -1706,13 +1706,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.70.29.203", - "10.169.50.59" + "10.169.50.59", + "10.70.29.203" ], "related.user": [ - "pta", "veniamq", - "mquisnos" + "mquisnos", + "pta" ], "rsa.counters.dclass_c1": 2358, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1765,13 +1765,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.137.85.123", - "10.165.182.111" + "10.165.182.111", + "10.137.85.123" ], "related.user": [ - "ames", + "Bonorum", "sis", - "Bonorum" + "ames" ], "rsa.counters.dclass_c1": 6401, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -1854,13 +1854,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.173.178.109", - "10.64.184.196" + "10.64.184.196", + "10.173.178.109" ], "related.user": [ "uian", - "tam", - "nesci" + "nesci", + "tam" ], "rsa.counters.event_counter": 4493, "rsa.db.database": "sin", @@ -1923,8 +1923,8 @@ "10.90.50.149" ], "related.user": [ - "aUtenima", "olupta", + "aUtenima", "olu" ], "rsa.counters.dclass_c1": 1127, @@ -1982,9 +1982,9 @@ "10.18.150.82" ], "related.user": [ + "luptat", "mtota", - "qua", - "luptat" + "qua" ], "rsa.counters.dclass_c1": 6112, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2068,9 +2068,9 @@ "10.151.240.35" ], "related.user": [ - "lam", + "ama", "ametcons", - "ama" + "lam" ], "rsa.counters.dclass_c1": 4325, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2124,8 +2124,8 @@ ], "related.user": [ "quisn", - "ese", - "quasi" + "quasi", + "ese" ], "rsa.counters.dclass_c1": 3970, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2180,21 +2180,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.213.165.165", - "10.254.10.98" + "10.254.10.98", + "10.213.165.165" ], "related.user": [ - "ttenb", + "eufugia", "civeli", - "eufugia" + "ttenb" ], "rsa.counters.event_counter": 7365, "rsa.db.database": "utlabore", "rsa.internal.event_desc": "culpaq", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "uptasn" + "uptasn", + "cancel" ], "rsa.misc.category": "quamq", "rsa.misc.disposition": "usan", @@ -2340,13 +2340,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.45.69.152", - "10.29.138.31" + "10.29.138.31", + "10.45.69.152" ], "related.user": [ "volupta", - "umq", - "tsunt" + "tsunt", + "umq" ], "rsa.counters.dclass_c1": 744, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2403,9 +2403,9 @@ "10.152.213.228" ], "related.user": [ + "itationu", "ptatev", - "velillum", - "itationu" + "velillum" ], "rsa.counters.dclass_c1": 7245, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2486,13 +2486,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.208.33.55", - "10.248.102.129" + "10.248.102.129", + "10.208.33.55" ], "related.user": [ - "ulapari", + "mremaper", "inimv", - "mremaper" + "ulapari" ], "rsa.counters.dclass_c1": 6433, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2545,13 +2545,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.203.164.132", - "10.109.230.216" + "10.109.230.216", + "10.203.164.132" ], "related.user": [ - "ectobea", "ibus", - "mporin" + "mporin", + "ectobea" ], "rsa.counters.dclass_c1": 547, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2604,8 +2604,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.117.81.75", - "10.151.203.60" + "10.151.203.60", + "10.117.81.75" ], "related.user": [ "iconsequ", @@ -2663,13 +2663,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.224.217.153", - "10.45.152.205" + "10.45.152.205", + "10.224.217.153" ], "related.user": [ - "utlabo", "eriti", - "imav" + "imav", + "utlabo" ], "rsa.counters.dclass_c1": 922, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2723,21 +2723,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.60.164.100", - "10.1.193.187" + "10.1.193.187", + "10.60.164.100" ], "related.user": [ - "adipis", + "hite", "ugi", - "hite" + "adipis" ], "rsa.counters.event_counter": 508, "rsa.db.database": "abo", "rsa.internal.event_desc": "epteurs", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "allow", - "taevitae" + "taevitae", + "allow" ], "rsa.misc.category": "itse", "rsa.misc.disposition": "rever", @@ -2791,9 +2791,9 @@ "10.248.244.203" ], "related.user": [ + "sum", "mquamei", - "eiusm", - "sum" + "eiusm" ], "rsa.counters.dclass_c1": 3058, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2846,9 +2846,9 @@ "10.86.121.152" ], "related.user": [ - "nimv", "ine", - "consecte" + "consecte", + "nimv" ], "rsa.counters.dclass_c1": 2771, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2901,13 +2901,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.204.223.184", - "10.201.223.119" + "10.201.223.119", + "10.204.223.184" ], "related.user": [ - "rcit", "teni", - "tuserror" + "tuserror", + "rcit" ], "rsa.counters.dclass_c1": 4113, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -2964,8 +2964,8 @@ "10.200.12.126" ], "related.user": [ - "Nequepo", "elitsedd", + "Nequepo", "magnido" ], "rsa.counters.dclass_c1": 3243, @@ -3021,13 +3021,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.94.89.177", - "10.65.225.101" + "10.65.225.101", + "10.94.89.177" ], "related.user": [ "citation", - "tuserror", - "emquel" + "emquel", + "tuserror" ], "rsa.counters.event_counter": 2513, "rsa.db.database": "rspiciat", @@ -3090,8 +3090,8 @@ ], "related.user": [ "tione", - "iin", - "uta" + "uta", + "iin" ], "rsa.counters.dclass_c1": 5836, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3146,17 +3146,17 @@ "10.41.181.179" ], "related.user": [ + "iosamn", "equepor", - "niam", - "iosamn" + "niam" ], "rsa.counters.event_counter": 7468, "rsa.db.database": "erspicia", "rsa.internal.event_desc": "ibusB", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "rumwr", - "deny" + "deny", + "rumwr" ], "rsa.misc.category": "rporis", "rsa.misc.disposition": "etco", @@ -3211,9 +3211,9 @@ "10.21.208.103" ], "related.user": [ - "ostr", "imidest", - "mipsa" + "mipsa", + "ostr" ], "rsa.counters.dclass_c1": 7766, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3270,9 +3270,9 @@ "10.23.6.216" ], "related.user": [ - "iarchit", "tevelite", - "iamquisn" + "iamquisn", + "iarchit" ], "rsa.counters.dclass_c1": 639, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -3332,16 +3332,16 @@ ], "related.user": [ "modtempo", - "nofde", - "animide" + "animide", + "nofde" ], "rsa.counters.event_counter": 7580, "rsa.db.database": "Lore", "rsa.internal.event_desc": "nto", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "ali", - "cancel" + "cancel", + "ali" ], "rsa.misc.category": "sciv", "rsa.misc.disposition": "tlabo", @@ -3397,9 +3397,9 @@ "10.178.79.217" ], "related.user": [ - "ccusan", "inibusBo", - "tqui" + "tqui", + "ccusan" ], "rsa.counters.event_counter": 3538, "rsa.db.database": "sequun", @@ -3461,8 +3461,8 @@ "10.77.86.215" ], "related.user": [ - "meaqu", "rcit", + "meaqu", "xerc" ], "rsa.counters.dclass_c1": 7286, @@ -3515,12 +3515,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.186.133.184", - "10.211.161.187" + "10.211.161.187", + "10.186.133.184" ], "related.user": [ - "sci", "boriosa", + "sci", "acons" ], "rsa.counters.dclass_c1": 1578, @@ -3569,8 +3569,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.254.198.47", - "10.160.147.230" + "10.160.147.230", + "10.254.198.47" ], "related.user": [ "illoin", @@ -3624,8 +3624,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.182.197.243", - "10.40.24.93" + "10.40.24.93", + "10.182.197.243" ], "related.user": [ "orisnis", @@ -3683,12 +3683,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.249.13.159", - "10.108.130.106" + "10.108.130.106", + "10.249.13.159" ], "related.user": [ - "colab", "uisautei", + "colab", "exeacomm" ], "rsa.counters.dclass_c1": 1044, @@ -3744,12 +3744,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.39.244.49", - "10.64.94.174" + "10.64.94.174", + "10.39.244.49" ], "related.user": [ - "iunt", "Sedut", + "iunt", "estiae" ], "rsa.counters.event_counter": 7128, @@ -3757,8 +3757,8 @@ "rsa.internal.event_desc": "enimips", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "cancel", - "gna" + "gna", + "cancel" ], "rsa.misc.category": "Nequepor", "rsa.misc.disposition": "nisiu", @@ -3923,8 +3923,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.43.244.252", - "10.251.212.166" + "10.251.212.166", + "10.43.244.252" ], "related.user": [ "uptat", @@ -4015,8 +4015,8 @@ ], "related.user": [ "mqu", - "uatDuisa", - "tesseq" + "tesseq", + "uatDuisa" ], "rsa.counters.dclass_c1": 1623, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4102,8 +4102,8 @@ ], "related.user": [ "volu", - "ineavol", - "rehe" + "rehe", + "ineavol" ], "rsa.counters.dclass_c1": 3064, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4209,12 +4209,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.57.169.205", - "10.172.121.239" + "10.172.121.239", + "10.57.169.205" ], "related.user": [ - "iuta", "ctas", + "iuta", "ipsu" ], "rsa.counters.dclass_c1": 392, @@ -4268,13 +4268,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.129.234.200", - "10.42.218.103" + "10.42.218.103", + "10.129.234.200" ], "related.user": [ + "dquia", "tevelit", - "tisundeo", - "dquia" + "tisundeo" ], "rsa.counters.dclass_c1": 6709, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4331,8 +4331,8 @@ "10.76.121.224" ], "related.user": [ - "ali", "scive", + "ali", "oloremi" ], "rsa.counters.dclass_c1": 6155, @@ -4390,9 +4390,9 @@ "10.195.8.141" ], "related.user": [ + "dolo", "ota", - "enimip", - "dolo" + "enimip" ], "rsa.counters.dclass_c1": 469, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4445,13 +4445,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.179.60.167", - "10.173.13.179" + "10.173.13.179", + "10.179.60.167" ], "related.user": [ + "isn", "ptasn", - "apar", - "isn" + "apar" ], "rsa.counters.dclass_c1": 758, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4508,9 +4508,9 @@ "10.178.190.123" ], "related.user": [ - "ore", + "tiset", "orsi", - "tiset" + "ore" ], "rsa.counters.dclass_c1": 2290, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4591,13 +4591,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.207.198.239", - "10.8.147.176" + "10.8.147.176", + "10.207.198.239" ], "related.user": [ + "aUteni", "incididu", - "Loremips", - "aUteni" + "Loremips" ], "rsa.counters.dclass_c1": 3043, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4653,9 +4653,9 @@ "10.116.26.185" ], "related.user": [ - "litesseq", "oNe", - "nseq" + "nseq", + "litesseq" ], "rsa.counters.dclass_c1": 3218, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4704,13 +4704,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.86.180.150", - "10.253.127.130" + "10.253.127.130", + "10.86.180.150" ], "related.user": [ "mnisis", - "itasper", - "etconsec" + "etconsec", + "itasper" ], "rsa.counters.dclass_c1": 4564, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -4765,12 +4765,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.220.175.201", - "10.158.161.5" + "10.158.161.5", + "10.220.175.201" ], "related.user": [ - "rrors", - "dolo" + "dolo", + "rrors" ], "rsa.counters.event_counter": 4098, "rsa.db.database": "tsed", @@ -4856,8 +4856,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.248.16.82", - "10.150.27.144" + "10.150.27.144", + "10.248.16.82" ], "related.user": [ "ditautf", @@ -4919,9 +4919,9 @@ "10.146.131.76" ], "related.user": [ - "Except", "olo", - "orsi" + "orsi", + "Except" ], "rsa.counters.dclass_c1": 5844, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5032,9 +5032,9 @@ "10.253.175.129" ], "related.user": [ + "ate", "nrep", - "epteurs", - "ate" + "epteurs" ], "rsa.counters.dclass_c1": 6260, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5094,16 +5094,16 @@ ], "related.user": [ "aboris", - "atus", - "orumetMa" + "orumetMa", + "atus" ], "rsa.counters.event_counter": 5863, "rsa.db.database": "inventor", "rsa.internal.event_desc": "loi", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "atcupi" + "atcupi", + "block" ], "rsa.misc.category": "tation", "rsa.misc.disposition": "seddoe", @@ -5155,12 +5155,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.81.108.232", - "10.52.106.68" + "10.52.106.68", + "10.81.108.232" ], "related.user": [ - "aco", "neavolup", + "aco", "uaturve" ], "rsa.counters.event_counter": 5098, @@ -5168,8 +5168,8 @@ "rsa.internal.event_desc": "pis", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "Quisaut", - "allow" + "allow", + "Quisaut" ], "rsa.misc.category": "idol", "rsa.misc.disposition": "mmodico", @@ -5222,21 +5222,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.223.10.28", - "10.230.48.97" + "10.230.48.97", + "10.223.10.28" ], "related.user": [ - "erit", + "usmodte", "untex", - "usmodte" + "erit" ], "rsa.counters.event_counter": 4029, "rsa.db.database": "ommodi", "rsa.internal.event_desc": "itatiset", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "tconse", - "deny" + "deny", + "tconse" ], "rsa.misc.category": "uaerat", "rsa.misc.disposition": "met", @@ -5291,9 +5291,9 @@ "10.161.212.150" ], "related.user": [ - "tasnul", "sequamn", - "res" + "res", + "tasnul" ], "rsa.counters.dclass_c1": 4846, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5348,21 +5348,21 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.247.108.144", - "10.226.75.20" + "10.226.75.20", + "10.247.108.144" ], "related.user": [ - "fugia", "tema", - "maccusan" + "maccusan", + "fugia" ], "rsa.counters.event_counter": 3711, "rsa.db.database": "psa", "rsa.internal.event_desc": "stiaec", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "block", - "iat" + "iat", + "block" ], "rsa.misc.category": "officia", "rsa.misc.disposition": "ametcon", @@ -5412,12 +5412,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.192.15.65", - "10.97.22.61" + "10.97.22.61", + "10.192.15.65" ], "related.user": [ - "rExcep", "nimides", + "rExcep", "illumd" ], "rsa.counters.dclass_c1": 4173, @@ -5469,8 +5469,8 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.116.76.161", - "10.197.254.133" + "10.197.254.133", + "10.116.76.161" ], "related.user": [ "ide", @@ -5482,8 +5482,8 @@ "rsa.internal.event_desc": "ritat", "rsa.internal.messageid": "Imperva", "rsa.misc.action": [ - "quid", - "cancel" + "cancel", + "quid" ], "rsa.misc.category": "dipi", "rsa.misc.disposition": "asnulapa", @@ -5533,13 +5533,13 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.28.77.79", - "10.144.14.15" + "10.144.14.15", + "10.28.77.79" ], "related.user": [ - "rspic", + "upta", "utlab", - "upta" + "rspic" ], "rsa.counters.dclass_c1": 4810, "rsa.counters.dclass_c1_str": "Affected Rows", @@ -5591,12 +5591,12 @@ "observer.type": "WAF", "observer.vendor": "Imperva", "related.ip": [ - "10.18.15.43", - "10.248.177.182" + "10.248.177.182", + "10.18.15.43" ], "related.user": [ - "quei", "quaturve", + "quei", "caecat" ], "rsa.counters.dclass_c1": 983, diff --git a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json index 84a3179ce567..530aa6f4cc11 100644 --- a/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json +++ b/x-pack/filebeat/module/netscout/sightline/test/generated.log-expected.json @@ -974,8 +974,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.168.131.247", - "10.136.232.108" + "10.136.232.108", + "10.168.131.247" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", @@ -1674,8 +1674,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.216.83.142", - "10.224.198.212" + "10.224.198.212", + "10.216.83.142" ], "rsa.internal.messageid": "anomaly", "rsa.misc.category": "utodita", @@ -1712,8 +1712,8 @@ "observer.type": "DDOS", "observer.vendor": "Netscout", "related.ip": [ - "10.28.226.128", - "10.122.76.148" + "10.122.76.148", + "10.28.226.128" ], "rsa.internal.messageid": "Blocked_Host", "rsa.misc.msgIdPart1": "Blocked", diff --git a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json index 92415bf00c4d..56a4f778e7f4 100644 --- a/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/04-sharepoint.log-expected.json @@ -59,7 +59,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -127,7 +127,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -195,7 +195,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -263,7 +263,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json index d6e9404a8425..b5c79d506d1f 100644 --- a/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/06-sharepointfileop.log-expected.json @@ -67,7 +67,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -143,7 +143,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -219,7 +219,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -295,7 +295,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -372,7 +372,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -448,7 +448,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -524,7 +524,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -601,7 +601,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -677,7 +677,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -753,7 +753,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -829,7 +829,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json index 9f10e9f89f34..cc096b3acc25 100644 --- a/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/14-sp-sharing-op.log-expected.json @@ -316,7 +316,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", @@ -390,7 +390,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", @@ -465,7 +465,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", @@ -540,7 +540,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", @@ -615,7 +615,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:73.0) Gecko/20100101 Firefox/73.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json index 2daa90ba4b75..60c77401b355 100644 --- a/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json +++ b/x-pack/filebeat/module/o365/audit/test/15-azuread-sts-logon.log-expected.json @@ -88,7 +88,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -185,7 +185,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -282,7 +282,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -379,7 +379,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -476,7 +476,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -573,7 +573,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -670,7 +670,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -767,7 +767,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -864,7 +864,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -961,7 +961,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1058,7 +1058,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1155,7 +1155,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1252,7 +1252,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1349,7 +1349,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1443,7 +1443,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1540,7 +1540,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1637,7 +1637,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1731,7 +1731,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1828,7 +1828,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -1925,7 +1925,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2022,7 +2022,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2119,7 +2119,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2216,7 +2216,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2313,7 +2313,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2410,7 +2410,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2507,7 +2507,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2604,7 +2604,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2701,7 +2701,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2798,7 +2798,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2894,7 +2894,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -2992,7 +2992,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3076,7 +3076,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3173,7 +3173,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3257,7 +3257,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3355,7 +3355,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3439,7 +3439,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3537,7 +3537,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3634,7 +3634,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3731,7 +3731,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3815,7 +3815,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -3913,7 +3913,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4007,7 +4007,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4104,7 +4104,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4201,7 +4201,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4285,7 +4285,7 @@ "forwarded" ], "user.id": "Unknown", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4382,7 +4382,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4479,7 +4479,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4576,7 +4576,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4673,7 +4673,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4770,7 +4770,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4867,7 +4867,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -4964,7 +4964,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5061,7 +5061,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5158,7 +5158,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5255,7 +5255,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5352,7 +5352,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5449,7 +5449,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5546,7 +5546,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5640,7 +5640,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5737,7 +5737,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5834,7 +5834,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -5931,7 +5931,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6028,7 +6028,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6125,7 +6125,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6222,7 +6222,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6319,7 +6319,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6416,7 +6416,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6513,7 +6513,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", @@ -6610,7 +6610,7 @@ "user.domain": "testsiem.onmicrosoft.com", "user.id": "asr@testsiem.onmicrosoft.com", "user.name": "asr", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.14", diff --git a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json index c85eeff2148f..437a7ea5627a 100644 --- a/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json +++ b/x-pack/filebeat/module/okta/system/test/okta-system-test.json.log-expected.json @@ -65,7 +65,7 @@ "tags": [ "forwarded" ], - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.15", @@ -140,7 +140,7 @@ "tags": [ "forwarded" ], - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.15", @@ -230,7 +230,7 @@ "tags": [ "forwarded" ], - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Firefox", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:72.0) Gecko/20100101 Firefox/72.0", "user_agent.os.full": "Mac OS X 10.15", diff --git a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json index 6892f63bb1c5..56ba3e6e78d4 100644 --- a/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json +++ b/x-pack/filebeat/module/sonicwall/firewall/test/generated.log-expected.json @@ -544,9 +544,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ + "10.245.200.97", "10.34.161.166", - "10.219.116.137", - "10.245.200.97" + "10.219.116.137" ], "rsa.internal.event_desc": "rehend", "rsa.internal.messageid": "428", @@ -592,8 +592,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.118.80.140", - "10.252.122.195" + "10.252.122.195", + "10.118.80.140" ], "rsa.internal.messageid": "401", "rsa.internal.msg": "inesci", @@ -965,8 +965,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.126.34.82", - "10.14.1.45" + "10.14.1.45", + "10.126.34.82" ], "rsa.internal.messageid": "196", "rsa.internal.msg": "vita", @@ -999,8 +999,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.251.20.13", - "10.101.74.44" + "10.101.74.44", + "10.251.20.13" ], "related.user": [ "rsitv" @@ -1173,8 +1173,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.54.14.189", - "10.216.125.252" + "10.216.125.252", + "10.54.14.189" ], "rsa.internal.messageid": "402", "rsa.internal.msg": "tvol", @@ -1208,8 +1208,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.97.124.211", - "10.53.113.23" + "10.53.113.23", + "10.97.124.211" ], "rsa.identity.user_sid_dst": "iumdol", "rsa.internal.messageid": "1154", @@ -1304,8 +1304,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.108.249.60", - "10.76.110.144" + "10.76.110.144", + "10.108.249.60" ], "rsa.internal.messageid": "931", "rsa.internal.msg": "qua", @@ -1378,8 +1378,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.147.88.219", - "10.31.190.145" + "10.31.190.145", + "10.147.88.219" ], "related.user": [ "corpori" @@ -1420,9 +1420,9 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.108.84.24", "10.113.100.237", - "10.251.248.228" + "10.251.248.228", + "10.108.84.24" ], "rsa.internal.event_desc": "volupt", "rsa.internal.messageid": "606", @@ -1820,8 +1820,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.116.173.79", - "10.185.37.32" + "10.185.37.32", + "10.116.173.79" ], "rsa.internal.messageid": "178", "rsa.internal.msg": "ende", @@ -2094,8 +2094,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.222.169.140", - "10.117.63.181" + "10.117.63.181", + "10.222.169.140" ], "rsa.internal.messageid": "195", "rsa.internal.msg": "magnaal", @@ -2318,8 +2318,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.125.85.128", - "10.78.29.246" + "10.78.29.246", + "10.125.85.128" ], "rsa.internal.messageid": "355", "rsa.internal.msg": "labo", @@ -2571,8 +2571,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.143.0.78", - "10.250.149.166" + "10.250.149.166", + "10.143.0.78" ], "rsa.internal.messageid": "713", "rsa.misc.action": [ @@ -2673,8 +2673,8 @@ "observer.type": "Firewall", "observer.vendor": "Sonicwall", "related.ip": [ - "10.179.3.247", - "10.219.228.115" + "10.219.228.115", + "10.179.3.247" ], "rsa.internal.messageid": "373", "rsa.misc.action": [ diff --git a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json index 5f0e879398ac..3bd7adbce314 100644 --- a/x-pack/filebeat/module/squid/log/test/access1.log-expected.json +++ b/x-pack/filebeat/module/squid/log/test/access1.log-expected.json @@ -22,8 +22,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -83,8 +83,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -158,8 +158,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -320,8 +320,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -368,8 +368,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "66.102.9.147" + "66.102.9.147", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -380,8 +380,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -443,8 +443,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -494,8 +494,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -506,8 +506,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -557,8 +557,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "207.58.145.61" + "207.58.145.61", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -670,8 +670,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "209.85.16.38", - "10.105.21.199" + "10.105.21.199", + "209.85.16.38" ], "related.user": [ "badeyek" @@ -682,8 +682,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -861,8 +861,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -962,8 +962,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "207.58.145.61", - "10.105.21.199" + "10.105.21.199", + "207.58.145.61" ], "related.user": [ "badeyek" @@ -974,8 +974,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -1083,8 +1083,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "64.127.126.178" + "64.127.126.178", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -1158,8 +1158,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "302", @@ -1317,8 +1317,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "209.73.177.115", - "10.105.21.199" + "10.105.21.199", + "209.73.177.115" ], "related.user": [ "badeyek" @@ -1328,8 +1328,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "CONNECT" + "CONNECT", + "TCP_MISS" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "200", @@ -1378,8 +1378,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_DENIED", - "GET" + "GET", + "TCP_DENIED" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1425,8 +1425,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -1498,8 +1498,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -1561,8 +1561,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1669,8 +1669,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -1719,8 +1719,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1769,8 +1769,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "304", @@ -1819,8 +1819,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "204.13.51.238", - "10.105.47.218" + "10.105.47.218", + "204.13.51.238" ], "related.user": [ "nazsoau" @@ -1882,8 +1882,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.47.218", - "204.13.51.238" + "204.13.51.238", + "10.105.47.218" ], "related.user": [ "nazsoau" @@ -1894,8 +1894,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -1941,8 +1941,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -1997,8 +1997,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.194.14" + "68.142.194.14", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2009,8 +2009,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -2057,8 +2057,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -2116,8 +2116,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "216.155.194.239" + "216.155.194.239", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -2127,8 +2127,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2185,8 +2185,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -2236,8 +2236,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "63.245.209.21" + "63.245.209.21", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -2248,8 +2248,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -2295,8 +2295,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.231.252", - "10.105.33.214" + "10.105.33.214", + "68.142.231.252" ], "related.user": [ "adeolaegbedokun" @@ -2461,8 +2461,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2510,8 +2510,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "POST", - "TCP_DENIED" + "TCP_DENIED", + "POST" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2558,8 +2558,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "CONNECT", - "TCP_DENIED" + "TCP_DENIED", + "CONNECT" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -2618,8 +2618,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2714,8 +2714,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -2726,8 +2726,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -2784,8 +2784,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/plain", "rsa.misc.result_code": "200", @@ -2904,8 +2904,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3050,8 +3050,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3110,8 +3110,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -3122,8 +3122,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3170,8 +3170,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3182,8 +3182,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_REFRESH_HIT" + "TCP_REFRESH_HIT", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3230,8 +3230,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3242,8 +3242,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_REFRESH_HIT", - "GET" + "GET", + "TCP_REFRESH_HIT" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -3342,8 +3342,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_IMS_HIT", - "GET" + "GET", + "TCP_IMS_HIT" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -3392,8 +3392,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -3440,8 +3440,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "212.58.226.33", - "10.105.21.199" + "10.105.21.199", + "212.58.226.33" ], "related.user": [ "badeyek" @@ -3671,8 +3671,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "POST" + "POST", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -3782,8 +3782,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "68.142.219.132", - "10.105.33.214" + "10.105.33.214", + "68.142.219.132" ], "related.user": [ "adeolaegbedokun" @@ -3794,8 +3794,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3854,8 +3854,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/xml", "rsa.misc.result_code": "200", @@ -3914,8 +3914,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -3964,8 +3964,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4014,8 +4014,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -4125,8 +4125,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4137,8 +4137,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "302", @@ -4197,8 +4197,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "200", @@ -4308,8 +4308,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.219.132" + "68.142.219.132", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4378,8 +4378,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4424,8 +4424,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "68.142.194.14" + "68.142.194.14", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -4436,8 +4436,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -4715,8 +4715,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "209.73.177.115" + "209.73.177.115", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -4789,8 +4789,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "-", "rsa.misc.result_code": "304", @@ -4840,8 +4840,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.159", - "10.105.33.214" + "10.105.33.214", + "213.160.98.159" ], "related.user": [ "adeolaegbedokun" @@ -4953,8 +4953,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.33.214", - "213.160.98.167" + "213.160.98.167", + "10.105.33.214" ], "related.user": [ "adeolaegbedokun" @@ -5091,8 +5091,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_MISS" + "TCP_MISS", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "304", @@ -5141,8 +5141,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5191,8 +5191,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_DENIED" + "TCP_DENIED", + "GET" ], "rsa.misc.content_type": "text/html", "rsa.misc.result_code": "407", @@ -5249,8 +5249,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_MISS", - "GET" + "GET", + "TCP_MISS" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", @@ -5297,8 +5297,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "10.105.21.199", - "217.12.10.96" + "217.12.10.96", + "10.105.21.199" ], "related.user": [ "badeyek" @@ -5408,8 +5408,8 @@ "observer.type": "Proxies", "observer.vendor": "Squid", "related.ip": [ - "213.160.98.169", - "10.105.21.199" + "10.105.21.199", + "213.160.98.169" ], "related.user": [ "badeyek" @@ -5420,8 +5420,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "TCP_SWAPFAIL_MISS", - "GET" + "GET", + "TCP_SWAPFAIL_MISS" ], "rsa.misc.content_type": "application/x-javascript", "rsa.misc.result_code": "200", @@ -5470,8 +5470,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "text/css", "rsa.misc.result_code": "200", @@ -5683,8 +5683,8 @@ "rsa.investigations.ec_subject": "NetworkComm", "rsa.investigations.ec_theme": "ALM", "rsa.misc.action": [ - "GET", - "TCP_HIT" + "TCP_HIT", + "GET" ], "rsa.misc.content_type": "image/gif", "rsa.misc.result_code": "200", diff --git a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json index 5d44c5bd12f2..9fc69ab77543 100644 --- a/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json +++ b/x-pack/filebeat/module/suricata/eve/test/eve-small.log-expected.json @@ -150,7 +150,7 @@ "url.domain": "192.168.86.28", "url.original": "/dd.xml", "url.path": "/dd.xml", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "user_agent.os.full": "Mac OS X 10.13.5", @@ -208,7 +208,7 @@ "url.domain": "192.168.86.28", "url.original": "/ssdp/device-desc.xml", "url.path": "/ssdp/device-desc.xml", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36", "user_agent.os.full": "Mac OS X 10.13.5", diff --git a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json index 4df04b99e4de..eb9298f3d1b4 100644 --- a/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json +++ b/x-pack/filebeat/module/tomcat/log/test/generated.log-expected.json @@ -45,7 +45,7 @@ "url.domain": "example.com", "url.query": "amremap", "user.name": "rci", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -208,7 +208,7 @@ "url.domain": "www5.example.org", "url.query": "con", "user.name": "tur", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -872,7 +872,7 @@ "url.domain": "internal.example.net", "url.query": "iades", "user.name": "tat", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -1313,7 +1313,7 @@ "url.domain": "internal.example.com", "url.query": "tet", "user.name": "ionevo", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -1370,7 +1370,7 @@ "url.domain": "example.net", "url.query": "orem", "user.name": "tenbyCi", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -1703,7 +1703,7 @@ "url.domain": "example.com", "url.query": "tutlab", "user.name": "siut", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -1921,7 +1921,7 @@ "url.domain": "api.example.net", "url.query": "tincu", "user.name": "mve", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -1978,7 +1978,7 @@ "url.domain": "mail.example.org", "url.query": "rsita", "user.name": "uat", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2143,7 +2143,7 @@ "url.domain": "mail.example.com", "url.query": "uptatemU", "user.name": "ore", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -2360,7 +2360,7 @@ "url.domain": "api.example.com", "url.query": "urExce", "user.name": "eporroq", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2417,7 +2417,7 @@ "url.domain": "example.net", "url.query": "erun", "user.name": "fugitse", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2579,7 +2579,7 @@ "url.domain": "www.example.net", "url.query": "quasiar", "user.name": "econs", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2693,7 +2693,7 @@ "url.domain": "internal.example.net", "url.query": "taliqui", "user.name": "leumiur", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", "user_agent.os.full": "Mac OS X 10.15.6", @@ -2750,7 +2750,7 @@ "url.domain": "mail.example.net", "url.query": "atnulapa", "user.name": "quaU", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2861,7 +2861,7 @@ "url.domain": "api.example.org", "url.query": "incidid", "user.name": "tiumto", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2969,7 +2969,7 @@ "url.domain": "example.org", "url.query": "atem", "user.name": "ntmo", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "LM-V350", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 10", @@ -3689,7 +3689,7 @@ "url.domain": "www5.example.com", "url.query": "Utenimad", "user.name": "ptate", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -3743,7 +3743,7 @@ "url.domain": "www.example.net", "url.query": "aqui", "user.name": "ventor", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -3908,7 +3908,7 @@ "url.domain": "www5.example.net", "url.query": "oremip", "user.name": "oluptat", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "LM-V350", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 10", @@ -4181,7 +4181,7 @@ "url.domain": "example.com", "url.query": "miurere", "user.name": "cin", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -4460,7 +4460,7 @@ "url.domain": "www5.example.com", "url.query": "luptasnu", "user.name": "mmo", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -5343,7 +5343,7 @@ "url.domain": "api.example.net", "url.query": "aborio", "user.name": "uira", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -5511,7 +5511,7 @@ "url.domain": "internal.example.org", "url.query": "nidol", "user.name": "mco", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", diff --git a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json index 2df5f4bcff83..ea74e1c3b31a 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/generated.log-expected.json @@ -23,8 +23,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.176.10.114", - "10.206.191.17" + "10.206.191.17", + "10.176.10.114" ], "related.user": [ "sumdo" @@ -182,8 +182,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uptassi", "rsa.misc.action": [ - "Blocked", - "giatq" + "giatq", + "Blocked" ], "rsa.misc.category": "llu", "rsa.misc.filter": "tconsec", @@ -208,7 +208,7 @@ ], "url.original": "https://example.com/taspe/mvolu.gif?atcup=snos#iquaUte", "user.name": "tenima", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -240,8 +240,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.103.246.190", - "10.252.125.53" + "10.252.125.53", + "10.103.246.190" ], "related.user": [ "equun" @@ -255,8 +255,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ima", "rsa.misc.action": [ - "Allowed", - "llam" + "llam", + "Allowed" ], "rsa.misc.category": "aboris", "rsa.misc.filter": "atatnonp", @@ -281,7 +281,7 @@ ], "url.original": "https://api.example.org/doloreeu/pori.jpg?itati=mfu#uid", "user.name": "equun", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -313,8 +313,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.61.78.108", - "10.136.153.149" + "10.136.153.149", + "10.61.78.108" ], "related.user": [ "ercit" @@ -328,8 +328,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "inim", "rsa.misc.action": [ - "reetdolo", - "Blocked" + "Blocked", + "reetdolo" ], "rsa.misc.category": "osquir", "rsa.misc.filter": "ipit", @@ -386,8 +386,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.183.16.166", - "10.66.250.92" + "10.66.250.92", + "10.183.16.166" ], "related.user": [ "tessec" @@ -401,8 +401,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "avol", "rsa.misc.action": [ - "ist", - "Allowed" + "Allowed", + "ist" ], "rsa.misc.category": "lorema", "rsa.misc.filter": "sun", @@ -474,8 +474,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lupt", "rsa.misc.action": [ - "dun", - "Blocked" + "Blocked", + "dun" ], "rsa.misc.category": "rsitamet", "rsa.misc.filter": "usmod", @@ -532,8 +532,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.74.17.5", - "10.119.185.63" + "10.119.185.63", + "10.74.17.5" ], "related.user": [ "erc" @@ -547,8 +547,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tame", "rsa.misc.action": [ - "nsec", - "Blocked" + "Blocked", + "nsec" ], "rsa.misc.category": "emaperi", "rsa.misc.filter": "rehe", @@ -605,8 +605,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.78.151.178", - "10.25.192.202" + "10.25.192.202", + "10.78.151.178" ], "related.user": [ "quip" @@ -620,8 +620,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atquovo", "rsa.misc.action": [ - "amvolup", - "Allowed" + "Allowed", + "amvolup" ], "rsa.misc.category": "hil", "rsa.misc.filter": "deFinibu", @@ -678,8 +678,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.71.170.37", - "10.135.225.244" + "10.135.225.244", + "10.71.170.37" ], "related.user": [ "atu" @@ -693,8 +693,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ihilm", "rsa.misc.action": [ - "psaquae", - "Allowed" + "Allowed", + "psaquae" ], "rsa.misc.category": "eFinib", "rsa.misc.filter": "inesci", @@ -719,7 +719,7 @@ ], "url.original": "https://mail.example.net/equep/iavolu.gif?aqu=rpo#uipe", "user.name": "atu", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -865,7 +865,7 @@ ], "url.original": "https://internal.example.net/oru/temqu.htm?etMalor=ipi#reseos", "user.name": "ihilmo", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -897,8 +897,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.31.240.6", - "10.167.98.76" + "10.167.98.76", + "10.31.240.6" ], "related.user": [ "ratvolu" @@ -970,8 +970,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.135.160.125", - "10.0.55.9" + "10.0.55.9", + "10.135.160.125" ], "related.user": [ "volupta" @@ -1058,8 +1058,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nnum", "rsa.misc.action": [ - "ntoccae", - "Allowed" + "Allowed", + "ntoccae" ], "rsa.misc.category": "tium", "rsa.misc.filter": "uteirure", @@ -1116,8 +1116,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.5.126.127", - "10.252.124.150" + "10.252.124.150", + "10.5.126.127" ], "related.user": [ "inibusB" @@ -1131,8 +1131,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mod", "rsa.misc.action": [ - "xeacomm", - "Allowed" + "Allowed", + "xeacomm" ], "rsa.misc.category": "sauteiru", "rsa.misc.filter": "antiu", @@ -1277,8 +1277,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "quid", "rsa.misc.action": [ - "itecto", - "Allowed" + "Allowed", + "itecto" ], "rsa.misc.category": "quam", "rsa.misc.filter": "adeser", @@ -1408,8 +1408,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.29.155.171", - "10.229.83.165" + "10.229.83.165", + "10.29.155.171" ], "related.user": [ "ulapar" @@ -1423,8 +1423,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "vitaedi", "rsa.misc.action": [ - "llitanim", - "Allowed" + "Allowed", + "llitanim" ], "rsa.misc.category": "apariat", "rsa.misc.filter": "tasnulap", @@ -1481,8 +1481,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.129.192.145", - "10.161.148.64" + "10.161.148.64", + "10.129.192.145" ], "related.user": [ "lor" @@ -1554,8 +1554,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.7.200.140", - "10.203.65.161" + "10.203.65.161", + "10.7.200.140" ], "related.user": [ "snost" @@ -1569,8 +1569,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tdol", "rsa.misc.action": [ - "Allowed", - "nte" + "nte", + "Allowed" ], "rsa.misc.category": "adeseru", "rsa.misc.filter": "mac", @@ -1642,8 +1642,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "iutali", "rsa.misc.action": [ - "Blocked", - "atcupi" + "atcupi", + "Blocked" ], "rsa.misc.category": "isetq", "rsa.misc.filter": "equinesc", @@ -1700,8 +1700,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.24.111.229", - "10.39.31.115" + "10.39.31.115", + "10.24.111.229" ], "related.user": [ "fugi" @@ -1741,7 +1741,7 @@ ], "url.original": "https://example.com/luptatem/uaeratv.gif?dat=periam#dqu", "user.name": "fugi", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -1788,8 +1788,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "riss", "rsa.misc.action": [ - "Blocked", - "risnis" + "risnis", + "Blocked" ], "rsa.misc.category": "emqu", "rsa.misc.filter": "oluptas", @@ -1846,8 +1846,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.128.173.19", - "10.88.172.34" + "10.88.172.34", + "10.128.173.19" ], "related.user": [ "agnaaliq" @@ -1919,8 +1919,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.130.241.232", - "10.238.224.49" + "10.238.224.49", + "10.130.241.232" ], "related.user": [ "onse" @@ -1960,7 +1960,7 @@ ], "url.original": "https://api.example.org/rure/asiarchi.txt?loremeu=aturve#utfug", "user.name": "onse", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "POCOPHONE F1", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; POCOPHONE F1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2033,7 +2033,7 @@ ], "url.original": "https://example.com/emUte/molestia.htm?orroqu=elitsed#labore", "user.name": "Cic", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2106,7 +2106,7 @@ ], "url.original": "https://mail.example.net/repreh/plic.jpg?utlabo=tetur#tionula", "user.name": "ueipsa", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2138,8 +2138,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.18.226.72", - "10.101.85.169" + "10.101.85.169", + "10.18.226.72" ], "related.user": [ "rroqu" @@ -2153,8 +2153,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "moles", "rsa.misc.action": [ - "Allowed", - "vitaed" + "vitaed", + "Allowed" ], "rsa.misc.category": "billoi", "rsa.misc.filter": "suntex", @@ -2179,7 +2179,7 @@ ], "url.original": "https://api.example.com/tcu/iatqu.jpg?quovo=urExcep#ema", "user.name": "rroqu", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -2211,8 +2211,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.87.100.240", - "10.242.182.193" + "10.242.182.193", + "10.87.100.240" ], "related.user": [ "stenatus" @@ -2284,8 +2284,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.80.57.247", - "10.229.242.223" + "10.229.242.223", + "10.80.57.247" ], "related.user": [ "itasp" @@ -2357,8 +2357,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.106.77.138", - "10.193.66.155" + "10.193.66.155", + "10.106.77.138" ], "related.user": [ "iusmodt" @@ -2372,8 +2372,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "uteir", "rsa.misc.action": [ - "Allowed", - "Section" + "Section", + "Allowed" ], "rsa.misc.category": "cididu", "rsa.misc.filter": "Utenima", @@ -2430,8 +2430,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.236.230.136", - "10.54.159.1" + "10.54.159.1", + "10.236.230.136" ], "related.user": [ "mUteni" @@ -2518,8 +2518,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tvolup", "rsa.misc.action": [ - "utemvel", - "Allowed" + "Allowed", + "utemvel" ], "rsa.misc.category": "untutlab", "rsa.misc.filter": "dol", @@ -2649,8 +2649,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.128.184.241", - "10.138.188.201" + "10.138.188.201", + "10.128.184.241" ], "related.user": [ "etur" @@ -2810,8 +2810,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "idolores", "rsa.misc.action": [ - "lestia", - "Blocked" + "Blocked", + "lestia" ], "rsa.misc.category": "risni", "rsa.misc.filter": "emacc", @@ -2868,8 +2868,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.33.144.10", - "10.202.224.79" + "10.202.224.79", + "10.33.144.10" ], "related.user": [ "rios" @@ -2883,8 +2883,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lit", "rsa.misc.action": [ - "Blocked", - "quu" + "quu", + "Blocked" ], "rsa.misc.category": "oluptate", "rsa.misc.filter": "exercita", @@ -2982,7 +2982,7 @@ ], "url.original": "https://mail.example.com/qui/equeporr.jpg?itsedd=texpli#liquipex", "user.name": "CSe", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -3029,8 +3029,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "voluptas", "rsa.misc.action": [ - "olor", - "Allowed" + "Allowed", + "olor" ], "rsa.misc.category": "ataevita", "rsa.misc.filter": "nderi", @@ -3160,8 +3160,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.137.164.122", - "10.143.0.78" + "10.143.0.78", + "10.137.164.122" ], "related.user": [ "orissus" @@ -3233,8 +3233,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.30.87.51", - "10.156.177.53" + "10.156.177.53", + "10.30.87.51" ], "related.user": [ "psaquaea" @@ -3321,8 +3321,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tatemse", "rsa.misc.action": [ - "upta", - "Blocked" + "Blocked", + "upta" ], "rsa.misc.category": "tlabo", "rsa.misc.filter": "aliqui", @@ -3379,8 +3379,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.141.195.13", - "10.180.150.47" + "10.180.150.47", + "10.141.195.13" ], "related.user": [ "taliq" @@ -3394,8 +3394,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itesse", "rsa.misc.action": [ - "Allowed", - "uip" + "uip", + "Allowed" ], "rsa.misc.category": "teturad", "rsa.misc.filter": "roquisqu", @@ -3452,8 +3452,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.255.40.12", - "10.166.195.20" + "10.166.195.20", + "10.255.40.12" ], "related.user": [ "lamcolab" @@ -3467,8 +3467,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "mipsumq", "rsa.misc.action": [ - "Allowed", - "citation" + "citation", + "Allowed" ], "rsa.misc.category": "usant", "rsa.misc.filter": "Nem", @@ -3523,8 +3523,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.100.143.226", - "10.22.122.43" + "10.22.122.43", + "10.100.143.226" ], "related.user": [ "ute" @@ -3538,8 +3538,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ento", "rsa.misc.action": [ - "Blocked", - "Bonoru" + "Bonoru", + "Blocked" ], "rsa.misc.category": "luptasnu", "rsa.misc.filter": "quamni", @@ -3564,7 +3564,7 @@ ], "url.original": "https://example.org/tvolu/dutper.html?nbyCicer=scipit#equuntu", "user.name": "ute", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", "user_agent.os.full": "Mac OS X 10.15.6", @@ -3596,8 +3596,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.121.9.5", - "10.119.53.68" + "10.119.53.68", + "10.121.9.5" ], "related.user": [ "ssec" @@ -3611,8 +3611,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "dexea", "rsa.misc.action": [ - "tinvolup", - "Blocked" + "Blocked", + "tinvolup" ], "rsa.misc.category": "ende", "rsa.misc.filter": "onse", @@ -3755,8 +3755,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "epor", "rsa.misc.action": [ - "etquasia", - "Allowed" + "Allowed", + "etquasia" ], "rsa.misc.category": "iaturE", "rsa.misc.filter": "rep", @@ -3809,8 +3809,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.39.46.155", - "10.120.138.109" + "10.120.138.109", + "10.39.46.155" ], "related.user": [ "picia" @@ -3824,8 +3824,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "adipisc", "rsa.misc.action": [ - "exer", - "Blocked" + "Blocked", + "exer" ], "rsa.misc.category": "remagna", "rsa.misc.filter": "emvel", @@ -3850,7 +3850,7 @@ ], "url.original": "https://example.com/itsedqu/paq.jpg?hilmol=oluptate#todi", "user.name": "picia", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -3897,8 +3897,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ecillum", "rsa.misc.action": [ - "emp", - "Blocked" + "Blocked", + "emp" ], "rsa.misc.category": "ciati", "rsa.misc.filter": "elit", @@ -4333,8 +4333,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tDuisaut", "rsa.misc.action": [ - "upidatat", - "Allowed" + "Allowed", + "upidatat" ], "rsa.misc.category": "aliquide", "rsa.misc.filter": "deriti", @@ -4359,7 +4359,7 @@ ], "url.original": "https://api.example.com/lits/tvolu.jpg?squir=gnaaliq#quam", "user.name": "tsedquia", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -4406,8 +4406,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rroq", "rsa.misc.action": [ - "fdeFin", - "Blocked" + "Blocked", + "fdeFin" ], "rsa.misc.category": "diduntut", "rsa.misc.filter": "ano", @@ -4533,8 +4533,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.248.108.55", - "10.120.215.174" + "10.120.215.174", + "10.248.108.55" ], "related.user": [ "prehend" @@ -4548,8 +4548,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "rema", "rsa.misc.action": [ - "uatDu", - "Allowed" + "Allowed", + "uatDu" ], "rsa.misc.category": "ent", "rsa.misc.filter": "iscivel", @@ -4604,8 +4604,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.51.161.245", - "10.15.254.181" + "10.15.254.181", + "10.51.161.245" ], "related.user": [ "abo" @@ -4645,7 +4645,7 @@ ], "url.original": "https://www5.example.net/yCice/uinesci.htm?taevitae=dminimv#quam", "user.name": "abo", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -4677,8 +4677,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.7.152.238", - "10.129.66.196" + "10.129.66.196", + "10.7.152.238" ], "related.user": [ "equamn" @@ -4750,8 +4750,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.185.107.27", - "10.29.162.157" + "10.29.162.157", + "10.185.107.27" ], "related.user": [ "evelite" @@ -4765,8 +4765,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "orinrep", "rsa.misc.action": [ - "squirat", - "Blocked" + "Blocked", + "squirat" ], "rsa.misc.category": "sequa", "rsa.misc.filter": "orainci", @@ -4823,8 +4823,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.215.63.248", - "10.138.0.214" + "10.138.0.214", + "10.215.63.248" ], "related.user": [ "eavolupt" @@ -4838,8 +4838,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "odita", "rsa.misc.action": [ - "dqu", - "Blocked" + "Blocked", + "dqu" ], "rsa.misc.category": "ipex", "rsa.misc.filter": "ine", @@ -4864,7 +4864,7 @@ ], "url.original": "https://mail.example.org/umdolo/nimv.htm?equunt=tutla#usmod", "user.name": "eavolupt", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", @@ -5115,8 +5115,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.249.1.143", - "10.124.177.226" + "10.124.177.226", + "10.249.1.143" ], "related.user": [ "isciveli" @@ -5156,7 +5156,7 @@ ], "url.original": "https://internal.example.org/olorin/orisnisi.gif?eritquii=atevelit#dese", "user.name": "isciveli", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", "user_agent.os.full": "Mac OS X 10.15.6", @@ -5188,8 +5188,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.146.228.249", - "10.167.176.220" + "10.167.176.220", + "10.146.228.249" ], "related.user": [ "estla" @@ -5261,8 +5261,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.203.47.23", - "10.200.74.101" + "10.200.74.101", + "10.203.47.23" ], "related.user": [ "litesse" @@ -5276,8 +5276,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "nde", "rsa.misc.action": [ - "iqu", - "Allowed" + "Allowed", + "iqu" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "ntincul", @@ -5334,8 +5334,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.24.23.209", - "10.162.78.48" + "10.162.78.48", + "10.24.23.209" ], "related.user": [ "ntore" @@ -5375,7 +5375,7 @@ ], "url.original": "https://example.com/sedqui/iuntNe.gif?epteu=nvent#uepor", "user.name": "ntore", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "U307AS", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; U307AS) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -5407,8 +5407,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.55.151.53", - "10.211.66.68" + "10.211.66.68", + "10.55.151.53" ], "related.user": [ "squir" @@ -5422,8 +5422,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "diconseq", "rsa.misc.action": [ - "umet", - "Allowed" + "Allowed", + "umet" ], "rsa.misc.category": "ciad", "rsa.misc.filter": "oeiusmod", @@ -5448,7 +5448,7 @@ ], "url.original": "https://www5.example.net/lits/Nemoen.txt?elillu=seruntmo#imidest", "user.name": "squir", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -5521,7 +5521,7 @@ ], "url.original": "https://example.org/eius/evo.jpg?iarchit=volupt#ipis", "user.name": "mes", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "G8142", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; G8142) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 9", @@ -5626,8 +5626,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.124.119.48", - "10.26.222.144" + "10.26.222.144", + "10.124.119.48" ], "related.user": [ "nre" @@ -5641,8 +5641,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "lloin", "rsa.misc.action": [ - "Blocked", - "ici" + "ici", + "Blocked" ], "rsa.misc.category": "quidolor", "rsa.misc.filter": "nonproi", @@ -5714,8 +5714,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "officiad", "rsa.misc.action": [ - "Allowed", - "antium" + "antium", + "Allowed" ], "rsa.misc.category": "emoeni", "rsa.misc.filter": "itvo", @@ -5740,7 +5740,7 @@ ], "url.original": "https://mail.example.org/ntutlabo/leumiure.htm?eacommo=amqua#tionevol", "user.name": "ten", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "LM-V350", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 10", @@ -5959,7 +5959,7 @@ ], "url.original": "https://mail.example.net/enbyCic/aturau.gif?orroqui=sci#psamvolu", "user.name": "tectobe", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", "user_agent.os.full": "Mac OS X 10.15.6", @@ -6105,7 +6105,7 @@ ], "url.original": "https://api.example.net/mnisiut/eabil.jpg?psumqui=trude#ccusa", "user.name": "redolo", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "LM-V350", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 10", @@ -6137,8 +6137,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.13.125.101", - "10.97.202.149" + "10.97.202.149", + "10.13.125.101" ], "related.user": [ "colab" @@ -6152,8 +6152,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "atcupi", "rsa.misc.action": [ - "Blocked", - "uaUten" + "uaUten", + "Blocked" ], "rsa.misc.category": "modt", "rsa.misc.filter": "magnidol", @@ -6225,8 +6225,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "itautf", "rsa.misc.action": [ - "Blocked", - "mini" + "mini", + "Blocked" ], "rsa.misc.category": "gna", "rsa.misc.filter": "usmo", @@ -6283,8 +6283,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.10.25.145", - "10.224.249.228" + "10.224.249.228", + "10.10.25.145" ], "related.user": [ "mnisiuta" @@ -6298,8 +6298,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "issuscip", "rsa.misc.action": [ - "Blocked", - "remap" + "remap", + "Blocked" ], "rsa.misc.category": "eetdolo", "rsa.misc.filter": "rsitam", @@ -6324,7 +6324,7 @@ ], "url.original": "https://www.example.org/iat/acom.html?umdolo=oluptass#umqu", "user.name": "mnisiuta", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "LM-V350", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 10; LM-V350) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Mobile Safari/537.36", "user_agent.os.full": "Android 10", @@ -6371,8 +6371,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "neavolu", "rsa.misc.action": [ - "nofdeF", - "Blocked" + "Blocked", + "nofdeF" ], "rsa.misc.category": "remagnam", "rsa.misc.filter": "maveniam", @@ -6397,7 +6397,7 @@ ], "url.original": "https://www.example.com/onorum/umiure.gif?lites=admini#trumexer", "user.name": "aeabillo", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -6444,8 +6444,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ilmoles", "rsa.misc.action": [ - "Blocked", - "tatisetq" + "tatisetq", + "Blocked" ], "rsa.misc.category": "ametco", "rsa.misc.filter": "liquide", @@ -6502,8 +6502,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.154.188.132", - "10.166.205.159" + "10.166.205.159", + "10.154.188.132" ], "related.user": [ "uptat" @@ -6640,8 +6640,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.172.159.251", - "10.254.119.31" + "10.254.119.31", + "10.172.159.251" ], "related.user": [ "usm" @@ -6655,8 +6655,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "imadmi", "rsa.misc.action": [ - "tatemacc", - "Blocked" + "Blocked", + "tatemacc" ], "rsa.misc.category": "tutlabor", "rsa.misc.filter": "eturad", @@ -6728,8 +6728,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "isnost", "rsa.misc.action": [ - "Allowed", - "oriosa" + "oriosa", + "Allowed" ], "rsa.misc.category": "uis", "rsa.misc.filter": "nemul", @@ -6801,8 +6801,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "ntut", "rsa.misc.action": [ - "nima", - "Blocked" + "Blocked", + "nima" ], "rsa.misc.category": "boru", "rsa.misc.filter": "umquia", @@ -6827,7 +6827,7 @@ ], "url.original": "https://www5.example.org/oriosa/ssusc.htm?atemacc=rsitvolu#isi", "user.name": "eroi", - "user_agent.device.name": "Other", + "user_agent.device.name": "Mac", "user_agent.name": "Yandex Browser", "user_agent.original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.122 YaBrowser/20.3.0.2221 Yowser/2.5 Safari/537.36", "user_agent.os.full": "Mac OS X 10.15.6", @@ -6874,8 +6874,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "tquovo", "rsa.misc.action": [ - "qua", - "Allowed" + "Allowed", + "qua" ], "rsa.misc.category": "ectet", "rsa.misc.filter": "lites", @@ -6932,8 +6932,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.131.81.172", - "10.139.90.218" + "10.139.90.218", + "10.131.81.172" ], "related.user": [ "hende" @@ -7005,8 +7005,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.152.217.174", - "10.128.43.71" + "10.128.43.71", + "10.152.217.174" ], "related.user": [ "mquiado" @@ -7020,8 +7020,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "olupt", "rsa.misc.action": [ - "Blocked", - "temvele" + "temvele", + "Blocked" ], "rsa.misc.category": "natuser", "rsa.misc.filter": "amnihil", @@ -7046,7 +7046,7 @@ ], "url.original": "https://www.example.org/erit/asiarch.gif?tdolor=oremagna#siuta", "user.name": "mquiado", - "user_agent.device.name": "Generic Tablet", + "user_agent.device.name": "Notepad_K10", "user_agent.name": "Chrome", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; Notepad_K10) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.83 Safari/537.36", "user_agent.os.full": "Android 9", @@ -7078,8 +7078,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.217.193.148", - "10.26.149.221" + "10.26.149.221", + "10.217.193.148" ], "related.user": [ "uisa" @@ -7224,8 +7224,8 @@ "observer.type": "Configuration", "observer.vendor": "Zscaler", "related.ip": [ - "10.119.106.108", - "10.135.38.213" + "10.135.38.213", + "10.119.106.108" ], "related.user": [ "ore" @@ -7265,7 +7265,7 @@ ], "url.original": "https://mail.example.com/ostr/liqu.txt?niam=mullamc#umtota", "user.name": "ore", - "user_agent.device.name": "Generic Smartphone", + "user_agent.device.name": "5024D_RU", "user_agent.name": "Chrome Mobile", "user_agent.original": "Mozilla/5.0 (Linux; Android 9; 5024D_RU Build/PPR1.180610.011) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.92 Mobile Safari/537.36 YaApp_Android/10.61 YaSearchBrowser/10.61", "user_agent.os.full": "Android 9", diff --git a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json index 423d10f5ac2b..66ca65108fd2 100644 --- a/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json +++ b/x-pack/filebeat/module/zscaler/zia/test/test.log-expected.json @@ -28,8 +28,8 @@ "rsa.investigations.ec_theme": "Communication", "rsa.investigations.event_vcat": "", "rsa.misc.action": [ - "", - "" + "", + "" ], "rsa.misc.category": "", "rsa.misc.filter": "",